RE: password protected webpages
by "Duncan Austin" <duncan1a(at)hotmail.com>
|
Date: |
Wed, 05 Apr 2000 05:14:06 PDT |
To: |
hwg-techniques(at)hwg.org |
|
todo: View
Thread,
Original
|
|
I agree, javascript isn't good for password access. Apart from browser
issues, the .js file will be in the user's cache and is easy to find -
revealing all!
I would go the asp route. You can salt and encrypt passwords, making it
almost impossible to crack. There are some very good (free) encryption and
salting scripts and components out there. How it works is:
To register, the user chooses a password. This is then salted (some text
added to the end of it because if the database of passwords is compromised
hackers may try encrypting a list of the 1000 most common passwords and look
for a match - adding text to the end of each password ensures that none of
them will be in that list). The salted password is then encrypted and the
encrypted value entered into a database.
When the user logs on the password they enter is salted, encrypted and the
encrypted value compared with the encrypted value in the db.
This means that even if the database containing the encrypted passwords is
compromised, it will be useless to the hacker because if he tries to use one
of the encrypted passwords, it will be salted, then encrypted and that value
will not match any db values - only the original unsalted, unencrypted
password will work.
I hope I'm making sense here...
Duncan
>What about browsers which don't support JavaSciprt, or have disabled it?
>
>IE5 -- tools, internet options, security, custom level, active scripting to
>disabled.
>
>IMO Client Side JavaScript should not be relied on for anything mission
>critical, especially security.
>
>HTH
>Nigel
>
>On 05 April 2000 06:47, Don & Wendy Brock [SMTP:Brockfamily(at)xtra.co.nz]
>wrote:
> > An idea may be to try JavaScript protection, this can be made almost
> > impossible to crack, by creating an external JavaScript that contains
> > the stuff ( password and usernames), read the page at
> > http://www.crosswinds.net/~wmrsite2/scripts/extpassword.html
> >
> > *------------------------------------*
> > broccoli_man(at)hotmail.com
> > http://wmrsite.cjb.net
> > *------------------------------------*
> >
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
HWG hwg-techniques mailing list archives,
maintained by Webmasters @ IWA