Yea, the hacker would guess a random number in html & javascript but the hacker have no way of putting it into php on the server-side. So, we get two different random number and a invalid match.
"Marek Kilimajer" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > This has been solved - the extra characters are stored in session, > otherwise attacker can repeat it too. Password can be stored on > the server using one way has - on the client the script hashes > twice, first to get hashed password, then together with random > string > > Gerald Timothy Quimpo wrote: > > >On Saturday 11 January 2003 12:12 am, Scott Fletcher wrote: > > > > > >>The only thing that is important to me is that the password get > >>encrypted before transmitting across the internet. > >> > >> > > > >from other posts further in the thread it looks like you aren't > >ready to use https. that's too bad. that would really be the > >right solution. > > > >but since you must hash, one problem with hashing is, it is still > >necessary to have the hash vary from one invocation to another. > >otherwise, if the hash is the same every time the user logs in > >(i.e., if all you do is take the password and run it through md5), > >then anyone who can sniff the hash will be able to replay a login. > > > >unfortunately, if you want the hash to be different from one > >invocation to the next, then the password cannot be stored > >on the server as a one-way hash. instead, it would be either > >plaintext or encrypted on the server. this way, when you > >want to send the hash over the internet, instead of just hashing > >the password, you can generate a few extra characters. append > >(or prepend) the characters to the password. then hash the > >whole thing. > > > >then, when you send the hash over, send the extra characters > >too. on the server side, you would then take the password from > >the database (or wherever), decrypt it (if it's encrypted), append > >or prepend the extra characters, hash the whole thing, and > >compare the hashes. > > > >tiger > > > > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
