Comments on: Preparing a secure login form with PHP & JavaScript http://krahulg.wordpress.com/2007/12/26/preparing-a-secure-login-form-with-php-javascript/ web * programming * the higher end Thu, 18 Jun 2009 23:38:28 +0000 http://wordpress.com/ hourly 1 By: Thorix » Sicheres Login mit PHP und Javascript http://krahulg.wordpress.com/2007/12/26/preparing-a-secure-login-form-with-php-javascript/#comment-111 Thorix » Sicheres Login mit PHP und Javascript Fri, 16 Jan 2009 22:34:51 +0000 http://krahulg.wordpress.com/2007/12/26/preparing-a-secure-login-form-with-php-javascript/#comment-111 [...] ‚Preparing a secure login form with PHP & JavaScript‘ by Kumar Rahul (observances): Beschreibt die Clientseitige Verschlüsselung des Passwortes mit MD5 (SHA-1 wäre auch möglich), „gesalzen“ mit einem Timestamp aus PHP::time() [...] [...] ‚Preparing a secure login form with PHP & JavaScript‘ by Kumar Rahul (observances): Beschreibt die Clientseitige Verschlüsselung des Passwortes mit MD5 (SHA-1 wäre auch möglich), „gesalzen“ mit einem Timestamp aus PHP::time() [...]

]]> By: krahulg http://krahulg.wordpress.com/2007/12/26/preparing-a-secure-login-form-with-php-javascript/#comment-91 krahulg Tue, 26 Aug 2008 04:36:14 +0000 http://krahulg.wordpress.com/2007/12/26/preparing-a-secure-login-form-with-php-javascript/#comment-91 <strong>@paul</strong>: I had put this up as an alternative to simple login systems, the based ones. This definitely is not a replacement for HTTPS. And the setup required to really do a man-in-the-middle against this is fairly demanding and simple listening won't do. And thanks for stopping by, its very lonely out here. @paul: I had put this up as an alternative to simple login systems, the based ones. This definitely is not a replacement for HTTPS. And the setup required to really do a man-in-the-middle against this is fairly demanding and simple listening won’t do.
And thanks for stopping by, its very lonely out here.

]]> By: paul http://krahulg.wordpress.com/2007/12/26/preparing-a-secure-login-form-with-php-javascript/#comment-90 paul Tue, 26 Aug 2008 02:54:17 +0000 http://krahulg.wordpress.com/2007/12/26/preparing-a-secure-login-form-with-php-javascript/#comment-90 I really like the idea. However one would have to combine it with HTTPS (preferably with a certificate signed by a well-known and trusted entity) to prevent a possible man-in-the-middle attack. Otherwise the man-in-the-middle could just remove the java-script code and then do the hashing before sending the request on to the real server. But then again, when using HTTPS with a trusted certificate, is there really any need to send a hashcode instead of the verbatim-but-now-SSL-encrypted password? Hmmm... And I see another possible problem: what about overly-restrictive content-filters that strip java-script? A page crippled by such filters would still send the password in cleartext. The server could of course recognize such a case by inspecting the "password" and "phash" fields, but the password would still be on the wire in cleartext. I really like the idea. However one would have to combine it with HTTPS (preferably with a certificate signed by a well-known and trusted entity) to prevent a possible man-in-the-middle attack.

Otherwise the man-in-the-middle could just remove the java-script code and then do the hashing before sending the request on to the real server.

But then again, when using HTTPS with a trusted certificate, is there really any need to send a hashcode instead of the verbatim-but-now-SSL-encrypted password?

Hmmm…

And I see another possible problem: what about overly-restrictive content-filters that strip java-script? A page crippled by such filters would still send the password in cleartext. The server could of course recognize such a case by inspecting the “password” and “phash” fields, but the password would still be on the wire in cleartext.

]]> By: vijay http://krahulg.wordpress.com/2007/12/26/preparing-a-secure-login-form-with-php-javascript/#comment-37 vijay Mon, 28 Apr 2008 09:29:38 +0000 http://krahulg.wordpress.com/2007/12/26/preparing-a-secure-login-form-with-php-javascript/#comment-37 Thanks Rahul, You are correct and I am such a jerk ! :( Thanks Rahul,
You are correct and I am such a jerk ! :(

]]> By: krahulg http://krahulg.wordpress.com/2007/12/26/preparing-a-secure-login-form-with-php-javascript/#comment-36 krahulg Mon, 28 Apr 2008 09:13:10 +0000 http://krahulg.wordpress.com/2007/12/26/preparing-a-secure-login-form-with-php-javascript/#comment-36 Hi vijay, you can always send the hashing timestamp greater than the current time, but remember that you also have to hash the password with the timestamp. for the attack to succeed you need to know the password and hash it correctly. if you know the password already, you would rather use the login form and then nothing can stop you. am i right in getting your point here?? Hi vijay,
you can always send the hashing timestamp greater than the current time, but remember that you also have to hash the password with the timestamp. for the attack to succeed you need to know the password and hash it correctly. if you know the password already, you would rather use the login form and then nothing can stop you. am i right in getting your point here??

]]> By: vijay http://krahulg.wordpress.com/2007/12/26/preparing-a-secure-login-form-with-php-javascript/#comment-35 vijay Mon, 28 Apr 2008 08:56:27 +0000 http://krahulg.wordpress.com/2007/12/26/preparing-a-secure-login-form-with-php-javascript/#comment-35 Hi, Thanks again for the info shared. I fell a "BIG" thing is missing here. What if the sniffer sends $hts greater than the current time. he will be successful in logging into the system. may be u have that in ur mind but dint tell it out.. " system described here lacks certain things which are very obvious" Thanks for letting me know .. if I got it completely wrong ! Hi,

Thanks again for the info shared.

I fell a “BIG” thing is missing here.
What if the sniffer sends $hts greater than the current time. he will be successful in logging into the system.

may be u have that in ur mind but dint tell it out..
” system described here lacks certain things which are very obvious”

Thanks for letting me know .. if I got it completely wrong !

]]> By: Gabriel in Brazil » Blog Archive » A not-that-unsecure login form http://krahulg.wordpress.com/2007/12/26/preparing-a-secure-login-form-with-php-javascript/#comment-31 Gabriel in Brazil » Blog Archive » A not-that-unsecure login form Tue, 11 Mar 2008 12:49:44 +0000 http://krahulg.wordpress.com/2007/12/26/preparing-a-secure-login-form-with-php-javascript/#comment-31 [...] No Translations This article discusses a way for HTML login forms not to transmit plain-text passwords over the internet when SSL or https are too complex and still in your TODO list. This is an enhancement of this solution. [...] [...] No Translations This article discusses a way for HTML login forms not to transmit plain-text passwords over the internet when SSL or https are too complex and still in your TODO list. This is an enhancement of this solution. [...]

]]> By: krahulg http://krahulg.wordpress.com/2007/12/26/preparing-a-secure-login-form-with-php-javascript/#comment-29 krahulg Sat, 23 Feb 2008 06:34:12 +0000 http://krahulg.wordpress.com/2007/12/26/preparing-a-secure-login-form-with-php-javascript/#comment-29 Hi Gabriel, and am really happy to see you taking attention and even going as far as adopting it. About security, well, I have given up on the idea of a future-proof security device or method. The best I can do is make a parrot learn vowels and pass messages through it. How would you know which parrot to trap?? "Don't get anybody curious" might be the way to it, but I have other things to do right now. :). Hi Gabriel, and am really happy to see you taking attention and even going as far as adopting it.
About security, well, I have given up on the idea of a future-proof security device or method. The best I can do is make a parrot learn vowels and pass messages through it. How would you know which parrot to trap?? “Don’t get anybody curious” might be the way to it, but I have other things to do right now. :) .

]]> By: Gabriel http://krahulg.wordpress.com/2007/12/26/preparing-a-secure-login-form-with-php-javascript/#comment-28 Gabriel Fri, 22 Feb 2008 21:06:52 +0000 http://krahulg.wordpress.com/2007/12/26/preparing-a-secure-login-form-with-php-javascript/#comment-28 Ops, I did not thank you for the idea! I just implemented it and feel a deep relief not to sent plain text passwords anymore. Thanks (: Ops, I did not thank you for the idea! I just implemented it and feel a deep relief not to sent plain text passwords anymore.
Thanks (:

]]> By: Gabriel http://krahulg.wordpress.com/2007/12/26/preparing-a-secure-login-form-with-php-javascript/#comment-27 Gabriel Fri, 22 Feb 2008 21:03:18 +0000 http://krahulg.wordpress.com/2007/12/26/preparing-a-secure-login-form-with-php-javascript/#comment-27 I resolved the hashed password issue. My database actually stores MD5'ed passwords. Here is how I did: The javascript calculates the password's MD5. Then it concatenates the result with the timestamp and calculates the MD5 again. The result is sent to the server. The server reads the MD5'ed password from the database, concatenates the timestamp and calculates the MD5. Now compare the received hash with the calculated one and here you are! I guess all this MD5 thing is a simple way not to send plain text passwords over the web, but it still is quite vulnerable. A clever eavesdrop reading the POST request can figure out how all this is done and, later, try to obtain the hashed password with a bruteforce loop: 1. a = string to test 2. a += timestamp given in the POST 3. b = MD5(a) 4. if (b == password given in the POST) { bingo! } 5. goto 1 I guess some days or weeks would be enough to break the password, probably less with a dictionary-based loop first. I resolved the hashed password issue. My database actually stores MD5′ed passwords. Here is how I did:
The javascript calculates the password’s MD5. Then it concatenates the result with the timestamp and calculates the MD5 again. The result is sent to the server.
The server reads the MD5′ed password from the database, concatenates the timestamp and calculates the MD5.
Now compare the received hash with the calculated one and here you are!

I guess all this MD5 thing is a simple way not to send plain text passwords over the web, but it still is quite vulnerable. A clever eavesdrop reading the POST request can figure out how all this is done and, later, try to obtain the hashed password with a bruteforce loop:

1. a = string to test
2. a += timestamp given in the POST
3. b = MD5(a)
4. if (b == password given in the POST) { bingo! }
5. goto 1

I guess some days or weeks would be enough to break the password, probably less with a dictionary-based loop first.

]]>