CGI question: safe passwords possible?

Peter Hansen peter at engcorp.com
Mon Jun 2 15:10:26 CEST 2003


Paul Rubin wrote:
> 
> Don't do it that way, since the hashed value sent to the server is
> re-useable.  Try something more like:
> 
>  <form action="whatever" onSubmit="dohash(this)">
>  <input type="password" name="password">
>  <input type="hidden" name="password_enc">
>  <script>
>  function dohash(form) {
>    # Set "iv" to some random server-generated junk that's different every time
>    iv = "un43iuhiuanasdcainini3nr3r"
> 
>    form.elements.password_enc.value =
>        md5hash(iv + md5hash(iv + form.elements.password.value));
>    form.elements.password.value = "";
>  }

Doesn't this implementation also suffer from requiring the server
side to store the password somewhere effectively in the clear?
An extra pre-hash step on the password above, prior to the hashing with
the random number, is probably a good idea.  That way the server will
be able to pre-hash the passwords as well prior to storage, and they
are not available even to administrators.

(Paul, I don't understand why you did a double hash above, since it
doesn't seem to add any extra value over a single one, in this case.)

Also note: you won't be able to have your users change their passwords
securely with any such approach.  For that, I believe SSL is going to
be the only secure option, to avoid ever sending a password to the server
in the clear.  (Or generate passwords on the server side and email to the
user, though that has obvious other problems...)

-Peter




More information about the Python-list mailing list