« Return to Thread: Client side password encryption
Re: Client side password encryption
by Viper007Bond-3
::
Rate this Message:
It's quite similar to the plugin I was using as a base.
I assume it too is broken by WordPress 2.5 though as it'll have trouble
comparing a hashed version of the password (made via JS) against another
hashed version of the password (in the DB).
On Sun, Mar 16, 2008 at 7:13 PM, Andrew Ferguson <andrew@...>
wrote:
> Have you ever tried using this plugin:
>
> http://www.redsend.org/chapsecurelogin/
>
> It's based on the Challenge-Handshake Authentication Protocol (CHAP) and
> it
> seems to work pretty well. It might at least be a starting point for what
> you're trying to do.
>
> -Andrew
> http://AndrewFerguson.net
>
>
> On Sun, Mar 16, 2008 at 7:31 PM, Viper007Bond <viper@...>
> wrote:
>
> > No no, I think the salt and all that stuff is a good idea. I don't want
> to
> > mess with it or the database.
> >
> > I'm just trying to figure out a way to not send the password in plain
> > text.
> > MD5'ing it + a separate salt worked well with 2.3.x, but it's proving to
> > be
> > trouble in 2.5.
> >
> > On Sun, Mar 16, 2008 at 11:04 AM, James Davis <james@...>
> > wrote:
> >
> > >
> > > On 16 Mar 2008, at 09:27, Viper007Bond wrote:
> > >
> > > > Is it even possible? I can't think of a way to take the MD5 of the
> > > > password
> > > > and use it to check the password due to the salting. I can't MD5 the
> > > > original password and compare it to the submitted hash as the
> original
> > > > obviously isn't stored anywhere.
> > >
> > > I think (I'm away from home and unable to check precisely) that when
> > > I coded the new password functions things were left pluggable in the
> > > right places to allow you to use a different hashing algorithm. If
> > > you really wanted to use this plugin, you might be able to write
> > > another plugin that reinstates plain MD5 passwords. Please let me
> > > know if this isn't the case. :-)
> > >
> > > James
> > > _______________________________________________
> > > wp-hackers mailing list
> > > wp-hackers@...
> > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> > >
> >
> >
> >
> > --
> > Viper007Bond | http://www.viper007bond.com/ | http://www.finalgear.com/
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers@...
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> _______________________________________________
> wp-hackers mailing list
> wp-hackers@...
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
--
Viper007Bond | http://www.viper007bond.com/ | http://www.finalgear.com/
_______________________________________________
wp-hackers mailing list
wp-hackers@...
http://lists.automattic.com/mailman/listinfo/wp-hackers
I assume it too is broken by WordPress 2.5 though as it'll have trouble
comparing a hashed version of the password (made via JS) against another
hashed version of the password (in the DB).
On Sun, Mar 16, 2008 at 7:13 PM, Andrew Ferguson <andrew@...>
wrote:
> Have you ever tried using this plugin:
>
> http://www.redsend.org/chapsecurelogin/
>
> It's based on the Challenge-Handshake Authentication Protocol (CHAP) and
> it
> seems to work pretty well. It might at least be a starting point for what
> you're trying to do.
>
> -Andrew
> http://AndrewFerguson.net
>
>
> On Sun, Mar 16, 2008 at 7:31 PM, Viper007Bond <viper@...>
> wrote:
>
> > No no, I think the salt and all that stuff is a good idea. I don't want
> to
> > mess with it or the database.
> >
> > I'm just trying to figure out a way to not send the password in plain
> > text.
> > MD5'ing it + a separate salt worked well with 2.3.x, but it's proving to
> > be
> > trouble in 2.5.
> >
> > On Sun, Mar 16, 2008 at 11:04 AM, James Davis <james@...>
> > wrote:
> >
> > >
> > > On 16 Mar 2008, at 09:27, Viper007Bond wrote:
> > >
> > > > Is it even possible? I can't think of a way to take the MD5 of the
> > > > password
> > > > and use it to check the password due to the salting. I can't MD5 the
> > > > original password and compare it to the submitted hash as the
> original
> > > > obviously isn't stored anywhere.
> > >
> > > I think (I'm away from home and unable to check precisely) that when
> > > I coded the new password functions things were left pluggable in the
> > > right places to allow you to use a different hashing algorithm. If
> > > you really wanted to use this plugin, you might be able to write
> > > another plugin that reinstates plain MD5 passwords. Please let me
> > > know if this isn't the case. :-)
> > >
> > > James
> > > _______________________________________________
> > > wp-hackers mailing list
> > > wp-hackers@...
> > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> > >
> >
> >
> >
> > --
> > Viper007Bond | http://www.viper007bond.com/ | http://www.finalgear.com/
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers@...
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> _______________________________________________
> wp-hackers mailing list
> wp-hackers@...
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
--
Viper007Bond | http://www.viper007bond.com/ | http://www.finalgear.com/
_______________________________________________
wp-hackers mailing list
wp-hackers@...
http://lists.automattic.com/mailman/listinfo/wp-hackers
« Return to Thread: Client side password encryption
| Free embeddable forum powered by Nabble | Forum Help |
