TalkPHP - View Single Post

Alan @ CIT · 02-09-2008, 08:24 AM

The idea behind it is to use a salt with your passwords. You then MD5 the password using JS, send it to your PHP script, the PHP script then adds the salt and md5's the whole lot again, then compares it against your password table.

The theory being that the plain-text password is never transmitted across the internet.

Edit: Think of it this way, in my scenario, if someone sniffed the password, they would end up with an MD5 hash of it. They could then either try to match the hash until they found the original password, or brute force your script until they found the salt. In your scenario, if someone sniffed the password, they would end up with the plain-text password for the user.

Alan

02-09-2008, 08:24 AM	#10 (permalink)
Alan @ CIT Member of the Month The Frequenter Join Date: Apr 2005 Location: South UK Posts: 483 Thanks: 51	The idea behind it is to use a salt with your passwords. You then MD5 the password using JS, send it to your PHP script, the PHP script then adds the salt and md5's the whole lot again, then compares it against your password table. The theory being that the plain-text password is never transmitted across the internet. Edit: Think of it this way, in my scenario, if someone sniffed the password, they would end up with an MD5 hash of it. They could then either try to match the hash until they found the original password, or brute force your script until they found the salt. In your scenario, if someone sniffed the password, they would end up with the plain-text password for the user. Alan Last edited by Alan @ CIT : 02-09-2008 at 08:31 AM. Reason: Added usage scenario