hwg-techniques archives Apr 2000 new search results previous next

RE: password protected webpages

by "Duncan Austin" <duncan1a(at)hotmail.com>

 Date:  Wed, 05 Apr 2000 05:14:06 PDT
 To:  hwg-techniques(at)hwg.org
  todo: View Thread, Original 
I agree, javascript isn't good for password access. Apart from browser 
issues, the .js file will be in the user's cache and is easy to find - 
revealing all!
I would go the asp route. You can salt and encrypt passwords, making it 
almost impossible to crack. There are some very good (free) encryption and 
salting scripts and components out there. How it works is:
To register, the user chooses a password. This is then salted (some text 
added to the end of it because if the database of passwords is compromised 
hackers may try encrypting a list of the 1000 most common passwords and look 
for a match - adding text to the end of each password ensures that none of 
them will be in that list). The salted password is then encrypted and the 
encrypted value entered into a database.
When the user logs on the password they enter is salted, encrypted and the 
encrypted value compared with the encrypted value in the db.
This means that even if the database containing the encrypted passwords is 
compromised, it will be useless to the hacker because if he tries to use one 
of the encrypted passwords, it will be salted, then encrypted and that value 
will not match any db values - only the original unsalted, unencrypted 
password will work.

I hope I'm making sense here...

Duncan

>What about browsers which don't support JavaSciprt, or have disabled it?
>
>IE5 -- tools, internet options, security, custom level, active scripting to 
>disabled.
>
>IMO Client Side JavaScript should not be relied on for anything mission 
>critical, especially security.
>
>HTH
>Nigel
>
>On 05 April 2000 06:47, Don & Wendy Brock [SMTP:Brockfamily(at)xtra.co.nz] 
>wrote:
> > An idea may be to try JavaScript protection, this can be made almost
> > impossible to crack, by creating an external JavaScript that contains
> > the stuff ( password and usernames), read the page at
> > http://www.crosswinds.net/~wmrsite2/scripts/extpassword.html
> >
> > *------------------------------------*
> > broccoli_man(at)hotmail.com
> >      http://wmrsite.cjb.net
> > *------------------------------------*
> >

______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com

HWG hwg-techniques mailing list archives, maintained by Webmasters @ IWA