Client side password encryption
|
View:
New views
17 Messages
—
Rating Filter:
Alert me
|
 |
Client side password encryption
by Viper007Bond-3
::
Rate this Message:
So I've been playing around with
http://wordpress.org/extend/plugins/semisecure-login/ It's a nice half way point for people like me who don't have and don't want to mess with SSL. It MD5's the password field before submitting and then checks it against the MD5'ed version of the password in the database. Works great in 2.3.x. However, with phpass now being used (i.e. salted passwords), I thought I'd update it for my own personal uses (and maybe a release) in time for WP 2.5. Easier said than done it's turning out to be. Is it even possible? I can't think of a way to take the MD5 of the password and use it to check the password due to the salting. I can't MD5 the original password and compare it to the submitted hash as the original obviously isn't stored anywhere. What about the upgrade method though? Does 2.5 migrate the old MD5 hashes to the new method or does it just leave them alone and only screw with the cookies? Ideas needed, assuming it's actually possible. I'm a bit inexperienced with some of the new features. -- Viper007Bond | http://www.viper007bond.com/ | http://www.finalgear.com/ _______________________________________________ wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
|
|
Re: Client side password encryption
by DD32
::
Rate this Message:
On Sun, 16 Mar 2008 20:27:12 +1100, Viper007Bond <viper@...> wrote:
> So I've been playing around with > http://wordpress.org/extend/plugins/semisecure-login/ .. > Is it even possible? I can't think of a way to take the MD5 of the password > and use it to check the password due to the salting. I can't MD5 the > original password and compare it to the submitted hash as the original > obviously isn't stored anywhere. > > What about the upgrade method though? Does 2.5 migrate the old MD5 hashes to > the new method or does it just leave them alone and only screw with the > cookies? When the user logs in, if the password hash is <= 32 char, then it creates a new hash for the user with a salt added in. I dont think theres a secure method of client side password hashing now, it either has to be 2-way encryption so that the server can get the original password, Or you need to pass the salt back to the JS and implement phpass in javascript, neither of which you'd want to do. You of course, could store another password in the database which is not salted, so that it allows you to login via passing a hashed password along, but its not of much use IMO _______________________________________________ wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
|
|
Re: Client side password encryption
by Viper007Bond-3
::
Rate this Message:
Yeah, this isn't assumed to be 100% secure, merely a way to avoid sending
the password plaintext via an unencrypted connection (like a public wifi or whatever). Anyway, so if it does indeed "upgrade" the old MD5 hash in the database to a new salted one, I could salt the POST'ed MD5 hash and compare it to the one in the database, no? On Sun, Mar 16, 2008 at 2:36 AM, DD32 <wordpress@...> wrote: > On Sun, 16 Mar 2008 20:27:12 +1100, Viper007Bond <viper@...> > wrote: > > > So I've been playing around with > > http://wordpress.org/extend/plugins/semisecure-login/ > .. > > Is it even possible? I can't think of a way to take the MD5 of the > password > > and use it to check the password due to the salting. I can't MD5 the > > original password and compare it to the submitted hash as the original > > obviously isn't stored anywhere. > > > > What about the upgrade method though? Does 2.5 migrate the old MD5 > hashes to > > the new method or does it just leave them alone and only screw with the > > cookies? > > When the user logs in, if the password hash is <= 32 char, then it creates > a new hash for the user with a salt added in. > > I dont think theres a secure method of client side password hashing now, > it either has to be 2-way encryption so that the server can get the original > password, Or you need to pass the salt back to the JS and implement phpass > in javascript, neither of which you'd want to do. > > You of course, could store another password in the database which is not > salted, so that it allows you to login via passing a hashed password along, > but its not of much use IMO > _______________________________________________ > wp-hackers mailing list > wp-hackers@... > http://lists.automattic.com/mailman/listinfo/wp-hackers > -- Viper007Bond | http://www.viper007bond.com/ | http://www.finalgear.com/ _______________________________________________ wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
|
|
Re: Client side password encryption
by Viper007Bond-3
::
Rate this Message:
Oh wait, that wouldn't work for accounts created in WP 2.5, right? Bah.
Guess I'm outta luck. Oh well. On Sun, Mar 16, 2008 at 2:43 AM, Viper007Bond <viper@...> wrote: > Yeah, this isn't assumed to be 100% secure, merely a way to avoid sending > the password plaintext via an unencrypted connection (like a public wifi or > whatever). > > Anyway, so if it does indeed "upgrade" the old MD5 hash in the database to > a new salted one, I could salt the POST'ed MD5 hash and compare it to the > one in the database, no? > > > On Sun, Mar 16, 2008 at 2:36 AM, DD32 <wordpress@...> wrote: > > > On Sun, 16 Mar 2008 20:27:12 +1100, Viper007Bond <viper@...> > > wrote: > > > > > So I've been playing around with > > > http://wordpress.org/extend/plugins/semisecure-login/ > > .. > > > Is it even possible? I can't think of a way to take the MD5 of the > > password > > > and use it to check the password due to the salting. I can't MD5 the > > > original password and compare it to the submitted hash as the original > > > obviously isn't stored anywhere. > > > > > > What about the upgrade method though? Does 2.5 migrate the old MD5 > > hashes to > > > the new method or does it just leave them alone and only screw with > > the > > > cookies? > > > > When the user logs in, if the password hash is <= 32 char, then it > > creates a new hash for the user with a salt added in. > > > > I dont think theres a secure method of client side password hashing now, > > it either has to be 2-way encryption so that the server can get the original > > password, Or you need to pass the salt back to the JS and implement phpass > > in javascript, neither of which you'd want to do. > > > > You of course, could store another password in the database which is not > > salted, so that it allows you to login via passing a hashed password along, > > but its not of much use IMO > > _______________________________________________ > > wp-hackers mailing list > > wp-hackers@... > > http://lists.automattic.com/mailman/listinfo/wp-hackers > > > > > > -- > Viper007Bond | http://www.viper007bond.com/ | http://www.finalgear.com/ > -- Viper007Bond | http://www.viper007bond.com/ | http://www.finalgear.com/ _______________________________________________ wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
|
|
Re: Client side password encryption
by howard chen
::
Rate this Message:
On Sun, Mar 16, 2008 at 5:27 PM, Viper007Bond <viper@...> wrote:
> So I've been playing around with > http://wordpress.org/extend/plugins/semisecure-login/ > Personally, even if you encrypt the password at client side using md5, it is still subject to replay attack. A better system would be: http://pajhome.org.uk/crypt/md5/auth.html Howard _______________________________________________ wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
|
|
Re: Client side password encryption
by DD32
::
Rate this Message:
I dont think it used MD5 anymore at all, instead it uses a "portable hash".. whatever that is. I might be wrong though.
Might be best looking up the old trac ticket for the changes, and/or asking Ryan (I think he had his hands in with that lot?) Good luck though :) On Sun, 16 Mar 2008 20:43:55 +1100, Viper007Bond <viper@...> wrote: > Yeah, this isn't assumed to be 100% secure, merely a way to avoid sending > the password plaintext via an unencrypted connection (like a public wifi or > whatever). > > Anyway, so if it does indeed "upgrade" the old MD5 hash in the database to a > new salted one, I could salt the POST'ed MD5 hash and compare it to the one > in the database, no? > > On Sun, Mar 16, 2008 at 2:36 AM, DD32 <wordpress@...> wrote: > >> On Sun, 16 Mar 2008 20:27:12 +1100, Viper007Bond <viper@...> >> wrote: >> >> > So I've been playing around with >> > http://wordpress.org/extend/plugins/semisecure-login/ >> .. >> > Is it even possible? I can't think of a way to take the MD5 of the >> password >> > and use it to check the password due to the salting. I can't MD5 the >> > original password and compare it to the submitted hash as the original >> > obviously isn't stored anywhere. >> > >> > What about the upgrade method though? Does 2.5 migrate the old MD5 >> hashes to >> > the new method or does it just leave them alone and only screw with the >> > cookies? >> >> When the user logs in, if the password hash is <= 32 char, then it creates >> a new hash for the user with a salt added in. >> >> I dont think theres a secure method of client side password hashing now, >> it either has to be 2-way encryption so that the server can get the original >> password, Or you need to pass the salt back to the JS and implement phpass >> in javascript, neither of which you'd want to do. >> >> You of course, could store another password in the database which is not >> salted, so that it allows you to login via passing a hashed password along, >> but its not of much use IMO >> _______________________________________________ >> wp-hackers mailing list >> wp-hackers@... >> http://lists.automattic.com/mailman/listinfo/wp-hackers >> > > > _______________________________________________ wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
|
|
Re: Client side password encryption
by Viper007Bond-3
::
Rate this Message:
It's combined with a one-time use nonce, so I don't believe that can happen.
DD32: Yeah, the new hashes are longer than 32 characters and MD5 sucks, so I figured, but I'm still trying to figure out if I can get from MD5( $pass ) to $newHash somehow. I'll poke around the code some more. On Sun, Mar 16, 2008 at 3:08 AM, howard chen <howachen@...> wrote: > On Sun, Mar 16, 2008 at 5:27 PM, Viper007Bond <viper@...> > wrote: > > So I've been playing around with > > http://wordpress.org/extend/plugins/semisecure-login/ > > > > Personally, even if you encrypt the password at client side using md5, > it is still subject to replay attack. > > A better system would be: http://pajhome.org.uk/crypt/md5/auth.html > > Howard > _______________________________________________ > wp-hackers mailing list > wp-hackers@... > http://lists.automattic.com/mailman/listinfo/wp-hackers > -- Viper007Bond | http://www.viper007bond.com/ | http://www.finalgear.com/ _______________________________________________ wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
|
|
Re: Client side password encryption
by James Davis-6
::
Rate this Message:
On 16 Mar 2008, at 09:27, Viper007Bond wrote: > Is it even possible? I can't think of a way to take the MD5 of the > password > and use it to check the password due to the salting. I can't MD5 the > original password and compare it to the submitted hash as the original > obviously isn't stored anywhere. I think (I'm away from home and unable to check precisely) that when I coded the new password functions things were left pluggable in the right places to allow you to use a different hashing algorithm. If you really wanted to use this plugin, you might be able to write another plugin that reinstates plain MD5 passwords. Please let me know if this isn't the case. :-) James _______________________________________________ wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
|
|
Re: Client side password encryption
by Viper007Bond-3
::
Rate this Message:
No no, I think the salt and all that stuff is a good idea. I don't want to
mess with it or the database. I'm just trying to figure out a way to not send the password in plain text. MD5'ing it + a separate salt worked well with 2.3.x, but it's proving to be trouble in 2.5. On Sun, Mar 16, 2008 at 11:04 AM, James Davis <james@...> wrote: > > On 16 Mar 2008, at 09:27, Viper007Bond wrote: > > > Is it even possible? I can't think of a way to take the MD5 of the > > password > > and use it to check the password due to the salting. I can't MD5 the > > original password and compare it to the submitted hash as the original > > obviously isn't stored anywhere. > > I think (I'm away from home and unable to check precisely) that when > I coded the new password functions things were left pluggable in the > right places to allow you to use a different hashing algorithm. If > you really wanted to use this plugin, you might be able to write > another plugin that reinstates plain MD5 passwords. Please let me > know if this isn't the case. :-) > > James > _______________________________________________ > wp-hackers mailing list > wp-hackers@... > http://lists.automattic.com/mailman/listinfo/wp-hackers > -- Viper007Bond | http://www.viper007bond.com/ | http://www.finalgear.com/ _______________________________________________ wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
|
|
Re: Client side password encryption
by Andrew Ferguson-2
::
Rate this Message:
Have you ever tried using this plugin:
http://www.redsend.org/chapsecurelogin/ It's based on the Challenge-Handshake Authentication Protocol (CHAP) and it seems to work pretty well. It might at least be a starting point for what you're trying to do. -Andrew http://AndrewFerguson.net On Sun, Mar 16, 2008 at 7:31 PM, Viper007Bond <viper@...> wrote: > No no, I think the salt and all that stuff is a good idea. I don't want to > mess with it or the database. > > I'm just trying to figure out a way to not send the password in plain > text. > MD5'ing it + a separate salt worked well with 2.3.x, but it's proving to > be > trouble in 2.5. > > On Sun, Mar 16, 2008 at 11:04 AM, James Davis <james@...> > wrote: > > > > > On 16 Mar 2008, at 09:27, Viper007Bond wrote: > > > > > Is it even possible? I can't think of a way to take the MD5 of the > > > password > > > and use it to check the password due to the salting. I can't MD5 the > > > original password and compare it to the submitted hash as the original > > > obviously isn't stored anywhere. > > > > I think (I'm away from home and unable to check precisely) that when > > I coded the new password functions things were left pluggable in the > > right places to allow you to use a different hashing algorithm. If > > you really wanted to use this plugin, you might be able to write > > another plugin that reinstates plain MD5 passwords. Please let me > > know if this isn't the case. :-) > > > > James > > _______________________________________________ > > wp-hackers mailing list > > wp-hackers@... > > http://lists.automattic.com/mailman/listinfo/wp-hackers > > > > > > -- > Viper007Bond | http://www.viper007bond.com/ | http://www.finalgear.com/ > _______________________________________________ > wp-hackers mailing list > wp-hackers@... > http://lists.automattic.com/mailman/listinfo/wp-hackers > wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
|
|
Re: Client side password encryption
by Viper007Bond-3
::
Rate this Message:
It's quite similar to the plugin I was using as a base.
I assume it too is broken by WordPress 2.5 though as it'll have trouble comparing a hashed version of the password (made via JS) against another hashed version of the password (in the DB). On Sun, Mar 16, 2008 at 7:13 PM, Andrew Ferguson <andrew@...> wrote: > Have you ever tried using this plugin: > > http://www.redsend.org/chapsecurelogin/ > > It's based on the Challenge-Handshake Authentication Protocol (CHAP) and > it > seems to work pretty well. It might at least be a starting point for what > you're trying to do. > > -Andrew > http://AndrewFerguson.net > > > On Sun, Mar 16, 2008 at 7:31 PM, Viper007Bond <viper@...> > wrote: > > > No no, I think the salt and all that stuff is a good idea. I don't want > to > > mess with it or the database. > > > > I'm just trying to figure out a way to not send the password in plain > > text. > > MD5'ing it + a separate salt worked well with 2.3.x, but it's proving to > > be > > trouble in 2.5. > > > > On Sun, Mar 16, 2008 at 11:04 AM, James Davis <james@...> > > wrote: > > > > > > > > On 16 Mar 2008, at 09:27, Viper007Bond wrote: > > > > > > > Is it even possible? I can't think of a way to take the MD5 of the > > > > password > > > > and use it to check the password due to the salting. I can't MD5 the > > > > original password and compare it to the submitted hash as the > original > > > > obviously isn't stored anywhere. > > > > > > I think (I'm away from home and unable to check precisely) that when > > > I coded the new password functions things were left pluggable in the > > > right places to allow you to use a different hashing algorithm. If > > > you really wanted to use this plugin, you might be able to write > > > another plugin that reinstates plain MD5 passwords. Please let me > > > know if this isn't the case. :-) > > > > > > James > > > _______________________________________________ > > > wp-hackers mailing list > > > wp-hackers@... > > > http://lists.automattic.com/mailman/listinfo/wp-hackers > > > > > > > > > > > -- > > Viper007Bond | http://www.viper007bond.com/ | http://www.finalgear.com/ > > _______________________________________________ > > wp-hackers mailing list > > wp-hackers@... > > http://lists.automattic.com/mailman/listinfo/wp-hackers > > > _______________________________________________ > wp-hackers mailing list > wp-hackers@... > http://lists.automattic.com/mailman/listinfo/wp-hackers > -- Viper007Bond | http://www.viper007bond.com/ | http://www.finalgear.com/ _______________________________________________ wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
|
|
Re: Client side password encryption
by Matt Freedman
::
Rate this Message:
How about base64 encoding it before sending it, then decode it before
WP handles it. It's in no way as secure as MD5, but it's better than plain text (people trying to steal password would probably not bother or recognize it as base64 and move along)... On Sun, Mar 16, 2008 at 7:52 PM, Viper007Bond <viper@...> wrote: > It's quite similar to the plugin I was using as a base. > > I assume it too is broken by WordPress 2.5 though as it'll have trouble > comparing a hashed version of the password (made via JS) against another > hashed version of the password (in the DB). > > On Sun, Mar 16, 2008 at 7:13 PM, Andrew Ferguson <andrew@...> > wrote: > > > > Have you ever tried using this plugin: > > > > http://www.redsend.org/chapsecurelogin/ > > > > It's based on the Challenge-Handshake Authentication Protocol (CHAP) and > > it > > seems to work pretty well. It might at least be a starting point for what > > you're trying to do. > > > > -Andrew > > http://AndrewFerguson.net > > > > > > On Sun, Mar 16, 2008 at 7:31 PM, Viper007Bond <viper@...> > > wrote: > > > > > No no, I think the salt and all that stuff is a good idea. I don't want > > to > > > mess with it or the database. > > > > > > I'm just trying to figure out a way to not send the password in plain > > > text. > > > MD5'ing it + a separate salt worked well with 2.3.x, but it's proving to > > > be > > > trouble in 2.5. > > > > > > On Sun, Mar 16, 2008 at 11:04 AM, James Davis <james@...> > > > wrote: > > > > > > > > > > > On 16 Mar 2008, at 09:27, Viper007Bond wrote: > > > > > > > > > Is it even possible? I can't think of a way to take the MD5 of the > > > > > password > > > > > and use it to check the password due to the salting. I can't MD5 the > > > > > original password and compare it to the submitted hash as the > > original > > > > > obviously isn't stored anywhere. > > > > > > > > I think (I'm away from home and unable to check precisely) that when > > > > I coded the new password functions things were left pluggable in the > > > > right places to allow you to use a different hashing algorithm. If > > > > you really wanted to use this plugin, you might be able to write > > > > another plugin that reinstates plain MD5 passwords. Please let me > > > > know if this isn't the case. :-) > > > > > > > > James > > > > _______________________________________________ > > > > wp-hackers mailing list > > > > wp-hackers@... > > > > http://lists.automattic.com/mailman/listinfo/wp-hackers > > > > > > > > > > > > > > > > -- > > > Viper007Bond | http://www.viper007bond.com/ | http://www.finalgear.com/ > > > _______________________________________________ > > > wp-hackers mailing list > > > wp-hackers@... > > > http://lists.automattic.com/mailman/listinfo/wp-hackers > > > > > _______________________________________________ > > wp-hackers mailing list > > wp-hackers@... > > http://lists.automattic.com/mailman/listinfo/wp-hackers > > > > > > -- > > Viper007Bond | http://www.viper007bond.com/ | http://www.finalgear.com/ > _______________________________________________ > wp-hackers mailing list > wp-hackers@... > http://lists.automattic.com/mailman/listinfo/wp-hackers > -- Matt (speedboxer@...) http://mattsblog.ca/ _______________________________________________ wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
|
|
Re: Client side password encryption
by Viper007Bond-3
::
Rate this Message:
That's just security through obscurity though.
Perhaps the base64 encoded string could be modified randomly in a pre-determined way though that only the host and the client knew about (similar to a salt). Something like adding some characters after X characters, etc. I haven't given up on MD5 though. I'm gonna read some more into how WP salts the passwords and stuff. Hopefully it still uses a MD5 of the password somewhere (pre-salt or something). On Sun, Mar 16, 2008 at 9:33 PM, Matt <speedboxer@...> wrote: > How about base64 encoding it before sending it, then decode it before > WP handles it. It's in no way as secure as MD5, but it's better than > plain text (people trying to steal password would probably not bother > or recognize it as base64 and move along)... > > On Sun, Mar 16, 2008 at 7:52 PM, Viper007Bond <viper@...> > wrote: > > It's quite similar to the plugin I was using as a base. > > > > I assume it too is broken by WordPress 2.5 though as it'll have trouble > > comparing a hashed version of the password (made via JS) against another > > hashed version of the password (in the DB). > > > > On Sun, Mar 16, 2008 at 7:13 PM, Andrew Ferguson <andrew@...> > > wrote: > > > > > > > Have you ever tried using this plugin: > > > > > > http://www.redsend.org/chapsecurelogin/ > > > > > > It's based on the Challenge-Handshake Authentication Protocol (CHAP) > and > > > it > > > seems to work pretty well. It might at least be a starting point for > what > > > you're trying to do. > > > > > > -Andrew > > > http://AndrewFerguson.net > > > > > > > > > On Sun, Mar 16, 2008 at 7:31 PM, Viper007Bond <viper@...> > > > wrote: > > > > > > > No no, I think the salt and all that stuff is a good idea. I don't > want > > > to > > > > mess with it or the database. > > > > > > > > I'm just trying to figure out a way to not send the password in > plain > > > > text. > > > > MD5'ing it + a separate salt worked well with 2.3.x, but it's > proving to > > > > be > > > > trouble in 2.5. > > > > > > > > On Sun, Mar 16, 2008 at 11:04 AM, James Davis < > james@...> > > > > wrote: > > > > > > > > > > > > > > On 16 Mar 2008, at 09:27, Viper007Bond wrote: > > > > > > > > > > > Is it even possible? I can't think of a way to take the MD5 of > the > > > > > > password > > > > > > and use it to check the password due to the salting. I can't MD5 > the > > > > > > original password and compare it to the submitted hash as the > > > original > > > > > > obviously isn't stored anywhere. > > > > > > > > > > I think (I'm away from home and unable to check precisely) that > when > > > > > I coded the new password functions things were left pluggable in > the > > > > > right places to allow you to use a different hashing algorithm. If > > > > > you really wanted to use this plugin, you might be able to write > > > > > another plugin that reinstates plain MD5 passwords. Please let me > > > > > know if this isn't the case. :-) > > > > > > > > > > James > > > > > _______________________________________________ > > > > > wp-hackers mailing list > > > > > wp-hackers@... > > > > > http://lists.automattic.com/mailman/listinfo/wp-hackers > > > > > > > > > > > > > > > > > > > > > -- > > > > Viper007Bond | http://www.viper007bond.com/ | > http://www.finalgear.com/ > > > > _______________________________________________ > > > > wp-hackers mailing list > > > > wp-hackers@... > > > > http://lists.automattic.com/mailman/listinfo/wp-hackers > > > > > > > _______________________________________________ > > > wp-hackers mailing list > > > wp-hackers@... > > > http://lists.automattic.com/mailman/listinfo/wp-hackers > > > > > > > > > > > -- > > > > Viper007Bond | http://www.viper007bond.com/ | http://www.finalgear.com/ > > _______________________________________________ > > wp-hackers mailing list > > wp-hackers@... > > http://lists.automattic.com/mailman/listinfo/wp-hackers > > > > > > -- > Matt (speedboxer@...) > http://mattsblog.ca/ > _______________________________________________ > wp-hackers mailing list > wp-hackers@... > http://lists.automattic.com/mailman/listinfo/wp-hackers > -- Viper007Bond | http://www.viper007bond.com/ | http://www.finalgear.com/ _______________________________________________ wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
|
|
Re: Client side password encryption
by Viper007Bond-3
::
Rate this Message:
Nevermind about this whole thread. I don't think it's possible as while I
don't know about migrated passwords, I believe all post-2.5 passwords will be encrypted without ever touching MD5. Just a direct password -> phpass and replicating phpass with JS doesn't look easy or a good idea. Obscuring a base64 encoded string also won't work because the server has to tell the client how to obscure it which someone could easily intercept and then use to fix the malformed hash and then decode it. Oh well. I guess it's either SSL or nothing. -- Viper007Bond | http://www.viper007bond.com/ | http://www.finalgear.com/ _______________________________________________ wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
|
|
Re: Client side password encryption
by Sam Bauers-3
::
Rate this Message:
I did the porting of the new phpass hashing to bbPress, and I'm 99.99%
sure that what you want can't be achieved. You would need to enlist your own reversible hashing (in Javascript and PHP) to pass the real password to the login functions. Sam On 17/03/2008, at 7:25 PM, Viper007Bond wrote: > Nevermind about this whole thread. I don't think it's possible as > while I > don't know about migrated passwords, I believe all post-2.5 > passwords will > be encrypted without ever touching MD5. Just a direct password -> > phpass and > replicating phpass with JS doesn't look easy or a good idea. > > Obscuring a base64 encoded string also won't work because the server > has to > tell the client how to obscure it which someone could easily > intercept and > then use to fix the malformed hash and then decode it. > > Oh well. I guess it's either SSL or nothing. > > -- > Viper007Bond | http://www.viper007bond.com/ | http:// > www.finalgear.com/ > _______________________________________________ > wp-hackers mailing list > wp-hackers@... > http://lists.automattic.com/mailman/listinfo/wp-hackers --------------------- Sam Bauers Automattic, Inc. sam@... http://automattic.com http://wordpress.com http://wordpress.org http://bbpress.org http://unlettered.org --------------------- _______________________________________________ wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
|
|
Re: Client side password encryption
by Jared Bangs
::
Rate this Message:
On Mon, Mar 17, 2008 at 1:25 AM, Viper007Bond <viper@...>
wrote: > > Obscuring a base64 encoded string also won't work because the server has > to > tell the client how to obscure it which someone could easily intercept and > then use to fix the malformed hash and then decode it. > > Oh well. I guess it's either SSL or nothing. > Yeah, pretty much (for what it sounds like you want to do, anyway). If there is the possibility for interception that you mention above, then it wouldn't matter if you could reimplement the same phpass alogrithm on the client, since whatever you send to the server could still be captured and replayed, resulting in a successful login. _______________________________________________ wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
|
|
Re: Client side password encryption
by Viper007Bond-3
::
Rate this Message:
Yeah, that's why a one-way hashing method is needed.
Previously, the JS would MD5 a string made up of the MD5 of the password plus a one-time salt, and then the server would replicate that (it already had the MD5 of the password) and compare. On Mon, Mar 17, 2008 at 10:44 AM, Jared Bangs <jared@...> wrote: > On Mon, Mar 17, 2008 at 1:25 AM, Viper007Bond <viper@...> > wrote: > > > > > Obscuring a base64 encoded string also won't work because the server has > > to > > tell the client how to obscure it which someone could easily intercept > and > > then use to fix the malformed hash and then decode it. > > > > Oh well. I guess it's either SSL or nothing. > > > > Yeah, pretty much (for what it sounds like you want to do, anyway). If > there > is the possibility for interception that you mention above, then it > wouldn't > matter if you could reimplement the same phpass alogrithm on the client, > since whatever you send to the server could still be captured and > replayed, > resulting in a successful login. > _______________________________________________ > wp-hackers mailing list > wp-hackers@... > http://lists.automattic.com/mailman/listinfo/wp-hackers > -- Viper007Bond | http://www.viper007bond.com/ | http://www.finalgear.com/ _______________________________________________ wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
| Free embeddable forum powered by Nabble | Forum Help |
