DZone Snippets is a public source code repository. Easily build up your personal collection of code snippets, categorize them with tags / keywords, and share them with the world

Snippets has posted 5883 posts at DZone. View Full User Profile

Password Authentication Without Revealing Your Password

05.09.2007
| 4533 views |
  • submit to reddit
        The majority of personalized web sites use some kind of form-based password authentication where you have two form fields for username and password, and a login button. When you submit your authentication, the password is sent in the clear to the server for verification against a user database.

Using a Javascript SHA library and one simple onsubmit protects the password in transit and also inside the user database:

<form onsubmit="pwField.value = b64_sha256(pwField.value);">

<a href="http://blog.asgeirnilsen.com/2005/11/password-authentication-without.html">Read this</a> for more elaborations with increased security.    

Comments

Tom Ward replied on Thu, 2006/03/16 - 1:15pm

This does nothing to protect the password in transit. The hashed version can be intercepted as easily as the non-hashed version, and both are of equal value to an attacker as both can be used to authenticate against the site.