Re: Encryption Question

On Mar 14, 5:06 am, "Bart Van der Donck" <b...@xxxxxxxxxx> wrote:
David Dorward wrote:
egg...@xxxxxxxxx wrote:
I have a form where a user can change his password,
but I'm confused on how to prevent this from being
transmitted in plain text.

Run the request over HTTP with SSL (HTTPS) not plain old HTTP.
JavaScript isn't relevant to the issue.

A plain javascript solution is possible without need for HTTPS.

http://groups.google.com/group/comp.lang.javascript/msg/096d1191285a15a4

- let user type new password
- encrypt it using javascript (see link above)
- send encrypted string over HTTP and store it
- re-authentication based on same algorithm (handled at server or
client)

The algorithm of the script above corresponds to the default crypt
function on UNIX. This means that the password must be stored as an
encrypted string too - which is certainly recommended, and it seems
that the original poster isn't doing this. A safe password encryption
must always be non-reversible.

--
Bart

Correct, right now, I'm saving the password as plain text on the
server. When the user signs in their password is sha1 hashed by
javascript then sent to the server where the server password is then
sha1 hashed and compared to what the client sent.

So what your proposing is when the user signs up, hash the password as
usual, but save it in that state to the server.

Then when the user signs in, hash their password, send to the server
and then compare? Wouldn't that be sending the same hash to the server
each time, how's the better then just sending plain text? that is
plain text in essence...

Please get back to me

.

Relevant Pages

  • Re: Encryption Question
    ... transmitted in plain text. ... JavaScript isn't relevant to the issue. ... re-authentication based on same algorithm (handled at server or ... assymetirc encryption as dicussed earlier. ...
    (comp.lang.javascript)
  • Re: Encryption Question
    ... Run the request over HTTP with SSL not plain old HTTP. ... A plain javascript solution is possible without need for HTTPS. ... encrypted string too - which is certainly recommended, ...
    (comp.lang.javascript)
  • Re: Possible to generate text files in javascript?
    ... The problem is that I don't want the server to have access to the data ... window with javascript and specify a blank URL with content type text/ ...
    (comp.lang.javascript)
  • Re: Tier3 today - And Flex-it like NASDAQ (*Only better!*)
    ... FlexBuilder, or just working on the FABridge functionality in general, you ... ArrayCollections are completely accessible via the Javascript in ... Broadcasted server to client messages, ...
    (comp.os.vms)
  • Re: newbie question
    ... They also render JavaScript, but that is generally for the purpose ... of handling client-side events on the server. ... Controls as well. ... >> compiling without Visual Studio, ...
    (microsoft.public.dotnet.framework.aspnet)