Gustavo Narea schrieb: > Hello, Paul, and thanks for letting us know about it. > > On Sunday, May 3 2009 05:51:07 Paul Johnston wrote: >> So, this is a call to the authors of all web authentication libraries. >> Add JavaScript MD5 as an authentication mechanism. And then let me >> know, so I can link to you from my site. If you need any help >> implementing it, drop me a line, I'll do what I can. > > I love the idea of encrypting passwords in client-side, but I have some > concerns about this particular implementation after taking a quick look into > its docs: > > 1.- This library doesn't encrypt passwords; it replaces the password with > its > MD5 hash (and MD5 is a weak hashing algorithm). > 2.- The hashing salt is sent to the client. > 3.- The hashing algorithm is available in client side. > > This is, if I'm an attacker, all I need to know to steal a user's identity is > to get the server challenge (for the login/registration form) and the client > response for such a challenge (the submitted data, including the password). > Am > I right?
I don't think so. Of course having all these informations, a man in the middle can perform a login. But first of all - the algorithm is MD5. It's irrelevant if he has the source-code, it must be the same outcome for *any* md5-implementation. And the more important thing: he doesn't have the clear-text-password, which would potentially allow to login on *other* sites as well, even if these use different hashing algorithms or salts. I'm by far not a cryptographer, but at least sending hashes over the wire makes things a lot harder. The best thing of course would be using SSL only, with proper certificates. Diez --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears Trunk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/turbogears-trunk?hl=en -~----------~----~----~----~------~----~------~--~---
