« Return to Thread: Client side password encryption
Re: Client side password encryption
by Matt Freedman
::
Rate this Message:
How about base64 encoding it before sending it, then decode it before
WP handles it. It's in no way as secure as MD5, but it's better than
plain text (people trying to steal password would probably not bother
or recognize it as base64 and move along)...
On Sun, Mar 16, 2008 at 7:52 PM, Viper007Bond <viper@...> wrote:
> It's quite similar to the plugin I was using as a base.
>
> I assume it too is broken by WordPress 2.5 though as it'll have trouble
> comparing a hashed version of the password (made via JS) against another
> hashed version of the password (in the DB).
>
> On Sun, Mar 16, 2008 at 7:13 PM, Andrew Ferguson <andrew@...>
> wrote:
>
>
> > Have you ever tried using this plugin:
> >
> > http://www.redsend.org/chapsecurelogin/
> >
> > It's based on the Challenge-Handshake Authentication Protocol (CHAP) and
> > it
> > seems to work pretty well. It might at least be a starting point for what
> > you're trying to do.
> >
> > -Andrew
> > http://AndrewFerguson.net
> >
> >
> > On Sun, Mar 16, 2008 at 7:31 PM, Viper007Bond <viper@...>
> > wrote:
> >
> > > No no, I think the salt and all that stuff is a good idea. I don't want
> > to
> > > mess with it or the database.
> > >
> > > I'm just trying to figure out a way to not send the password in plain
> > > text.
> > > MD5'ing it + a separate salt worked well with 2.3.x, but it's proving to
> > > be
> > > trouble in 2.5.
> > >
> > > On Sun, Mar 16, 2008 at 11:04 AM, James Davis <james@...>
> > > wrote:
> > >
> > > >
> > > > On 16 Mar 2008, at 09:27, Viper007Bond wrote:
> > > >
> > > > > Is it even possible? I can't think of a way to take the MD5 of the
> > > > > password
> > > > > and use it to check the password due to the salting. I can't MD5 the
> > > > > original password and compare it to the submitted hash as the
> > original
> > > > > obviously isn't stored anywhere.
> > > >
> > > > I think (I'm away from home and unable to check precisely) that when
> > > > I coded the new password functions things were left pluggable in the
> > > > right places to allow you to use a different hashing algorithm. If
> > > > you really wanted to use this plugin, you might be able to write
> > > > another plugin that reinstates plain MD5 passwords. Please let me
> > > > know if this isn't the case. :-)
> > > >
> > > > James
> > > > _______________________________________________
> > > > wp-hackers mailing list
> > > > wp-hackers@...
> > > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> > > >
> > >
> > >
> > >
> > > --
> > > Viper007Bond | http://www.viper007bond.com/ | http://www.finalgear.com/
> > > _______________________________________________
> > > wp-hackers mailing list
> > > wp-hackers@...
> > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> > >
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers@...
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
>
>
>
> --
>
> Viper007Bond | http://www.viper007bond.com/ | http://www.finalgear.com/
> _______________________________________________
> wp-hackers mailing list
> wp-hackers@...
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
--
Matt (speedboxer@...)
http://mattsblog.ca/
_______________________________________________
wp-hackers mailing list
wp-hackers@...
http://lists.automattic.com/mailman/listinfo/wp-hackers
WP handles it. It's in no way as secure as MD5, but it's better than
plain text (people trying to steal password would probably not bother
or recognize it as base64 and move along)...
On Sun, Mar 16, 2008 at 7:52 PM, Viper007Bond <viper@...> wrote:
> It's quite similar to the plugin I was using as a base.
>
> I assume it too is broken by WordPress 2.5 though as it'll have trouble
> comparing a hashed version of the password (made via JS) against another
> hashed version of the password (in the DB).
>
> On Sun, Mar 16, 2008 at 7:13 PM, Andrew Ferguson <andrew@...>
> wrote:
>
>
> > Have you ever tried using this plugin:
> >
> > http://www.redsend.org/chapsecurelogin/
> >
> > It's based on the Challenge-Handshake Authentication Protocol (CHAP) and
> > it
> > seems to work pretty well. It might at least be a starting point for what
> > you're trying to do.
> >
> > -Andrew
> > http://AndrewFerguson.net
> >
> >
> > On Sun, Mar 16, 2008 at 7:31 PM, Viper007Bond <viper@...>
> > wrote:
> >
> > > No no, I think the salt and all that stuff is a good idea. I don't want
> > to
> > > mess with it or the database.
> > >
> > > I'm just trying to figure out a way to not send the password in plain
> > > text.
> > > MD5'ing it + a separate salt worked well with 2.3.x, but it's proving to
> > > be
> > > trouble in 2.5.
> > >
> > > On Sun, Mar 16, 2008 at 11:04 AM, James Davis <james@...>
> > > wrote:
> > >
> > > >
> > > > On 16 Mar 2008, at 09:27, Viper007Bond wrote:
> > > >
> > > > > Is it even possible? I can't think of a way to take the MD5 of the
> > > > > password
> > > > > and use it to check the password due to the salting. I can't MD5 the
> > > > > original password and compare it to the submitted hash as the
> > original
> > > > > obviously isn't stored anywhere.
> > > >
> > > > I think (I'm away from home and unable to check precisely) that when
> > > > I coded the new password functions things were left pluggable in the
> > > > right places to allow you to use a different hashing algorithm. If
> > > > you really wanted to use this plugin, you might be able to write
> > > > another plugin that reinstates plain MD5 passwords. Please let me
> > > > know if this isn't the case. :-)
> > > >
> > > > James
> > > > _______________________________________________
> > > > wp-hackers mailing list
> > > > wp-hackers@...
> > > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> > > >
> > >
> > >
> > >
> > > --
> > > Viper007Bond | http://www.viper007bond.com/ | http://www.finalgear.com/
> > > _______________________________________________
> > > wp-hackers mailing list
> > > wp-hackers@...
> > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> > >
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers@...
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
>
>
>
> --
>
> Viper007Bond | http://www.viper007bond.com/ | http://www.finalgear.com/
> _______________________________________________
> wp-hackers mailing list
> wp-hackers@...
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
--
Matt (speedboxer@...)
http://mattsblog.ca/
_______________________________________________
wp-hackers mailing list
wp-hackers@...
http://lists.automattic.com/mailman/listinfo/wp-hackers
« Return to Thread: Client side password encryption
| Free embeddable forum powered by Nabble | Forum Help |
