CGI question: safe passwords possible?
Paul Rubin
http
Fri May 30 21:04:31 EDT 2003
> Yes, you can have the client hash the password using JavaScript. You
> can find free code for doing MD5 or SHA hashing in JavaScript, and then
> use code kind of like:
>
> <form action="whatever" onSubmit="dohash(this)">
> <input type="password" name="password">
> <input type="hidden" name="password_enc">
> <script>
> function dohash(form) {
> form.elements.password_enc.value =
> md5hash(form.elements.password.value);
> form.elements.password.value = "";
> }
> </script>
>
Don't do it that way, since the hashed value sent to the server is
re-useable. Try something more like:
<form action="whatever" onSubmit="dohash(this)">
<input type="password" name="password">
<input type="hidden" name="password_enc">
<script>
function dohash(form) {
# Set "iv" to some random server-generated junk that's different every time
iv = "un43iuhiuanasdcainini3nr3r"
form.elements.password_enc.value =
md5hash(iv + md5hash(iv + form.elements.password.value));
form.elements.password.value = "";
}
> (testing this and finding the md5hash implementation are excersizes left
> to the user)
MD5 and SHA Javascript implementations are available at:
http://pajhome.org.uk/crypt/md5/index.html
There's also some scripts there for doing the kind of thing the OP is
asking.
More information about the Python-list
mailing list