Hashing the password via browser

[Yumi]

(07-01-2008 08:53 PM)Tikitiki Wrote:  What will SSL protect you against? Packet Sniffing, and that's it. No hacker in their right mind would spend time sniffing a small site. Only large sites like ncaabbs or gaia would be worth sniffing. And obviously at that point you'd have a server capable of using SSL.

Whether someone will attack a site or not is not part of the issue here. You aren't the attacker here, so you don't know the motives of one.
(also, not just packet sniffing - eg proxies)

This extra layer of security is something that can be provided (not saying we should, but it's a possibility) and, considering that most large forums don't implement SSL, can be a vast improvement over sending plaintext.

(07-01-2008 08:53 PM)Tikitiki Wrote:  I could say the same thing about SSL. You can also easily reverse-md5 simple passwords (which most users have) with databases that are setup online - That's why it's a bad solution in general.

Have you actually tried those databases? I don't think so. They really don't work well, though one can try them if they wish. There are indeed known vulnerabilities in the MD5 hashing algorithm, however, it's always going to be the case that sending a hashed password is far more secure than a plaintext one.


I'm not saying this is a crucial feature or anything - as you pointed out, it's probably largely useless in practice, however, it's an improvement without detriment whatever way you look at it.

[Ryan Gordon]

(07-02-2008 07:35 AM)ZiNgA BuRgA Wrote:  

(07-01-2008 08:53 PM)Tikitiki Wrote:  What will SSL protect you against? Packet Sniffing, and that's it. No hacker in their right mind would spend time sniffing a small site. Only large sites like ncaabbs or gaia would be worth sniffing. And obviously at that point you'd have a server capable of using SSL.

Whether someone will attack a site or not is not part of the issue here. You aren't the attacker here, so you don't know the motives of one.
(also, not just packet sniffing - eg proxies)

This extra layer of security is something that can be provided (not saying we should, but it's a possibility) and, considering that most large forums don't implement SSL, can be a vast improvement over sending plaintext.

Again, as I've said before, it's a crappy solution and one that is limited at that. I'm standing by that stance.

(07-02-2008 07:35 AM)ZiNgA BuRgA Wrote:  

(07-01-2008 08:53 PM)Tikitiki Wrote:  I could say the same thing about SSL. You can also easily reverse-md5 simple passwords (which most users have) with databases that are setup online - That's why it's a bad solution in general.

Have you actually tried those databases? I don't think so.

Then you've thought wrong. I was actually quite surprised to find that the md5 of one of my old passwords was easily reversed prompting me to make my current one more secure.

[laie_techie]

If you have JavaScript hash the password, what's to stop a hacker from sniffing the hashed password and sending it later? At that point, the md5 of the password becomes the clear text as far as the hacker is concerned.

[Yumi]

(07-02-2008 08:37 PM)Tikitiki Wrote:  Then you've thought wrong. I was actually quite surprised to find that the md5 of one of my old passwords was easily reversed prompting me to make my current one more secure.

You must've used some dictionary password or such. Typically, I don't see databases with more than a billion entries. And I believe that 2^128 = 3.4028236692093846346337460743177e+38, or about 3.5e+29 times the size of the online DB...
Online DBs, suck - you need a proper application to generate collisions.

(07-03-2008 02:59 AM)laie_techie Wrote:  If you have JavaScript hash the password, what's to stop a hacker from sniffing the hashed password and sending it later? At that point, the md5 of the password becomes the clear text as far as the hacker is concerned.

The complexity stops them. It's a similar reason why people don't tend to brute force passwords cause it's a waste of time.

Obscurity is a form of security, regardless of it being "weak".

[flash.tato]

(07-03-2008 02:59 AM)laie_techie Wrote:  If you have JavaScript hash the password, what's to stop a hacker from sniffing the hashed password and sending it later? At that point, the md5 of the password becomes the clear text as far as the hacker is concerned.

And if we continue to send passwords in clear, is it better?
md5ing via browser isn't guaranteed security but it is one step up as Md5 is theoretically irreversible, infact only way to crack it is if seiing if that hash is available in some dictionaries although the dictionaries are poor now, the best i saw had only 80.000 hash in memory .

Ah last thing: could i suggest you to read how really MD5 works? You'll understand better