Page 1 of 1

Security tip in network listening hack technique [New Idea]

Posted: Tue Dec 02, 2008 2:12 pm
by sweb
see my article about secure password submition without SSL.
http://www.mhf.ir/2008/12/01/security-t ... technique/

demo:
http://demo.mhf.ir/secure-login-with-hash/

be wainting for your comment in my blog. :D

have good time.

Re: Security tip in network listening hack technique [New Idea]

Posted: Sat Dec 06, 2008 6:06 am
by JAB Creations
I'm not entirely sure but if you're using the same hash at the client in JavaScript as you are at the back-end in PHP then I think you might be giving away the hashed password...or something along those lines.'

I have had interest in this issue but the problem always remains: the hacker can simply visit the site and look at the JavaScript code if they want. This would only prevent people who want quick access.

So we end up going back (I think) to the idea that only SSL can be a secure form of sending passwords. However I'm hardly a security guru but I'd love to implement a more secure way of submitting a password. You may want to submit this to the security forum here though I think the clientside forum was a good choice to post this in to as well.

Re: Security tip in network listening hack technique [New Idea]

Posted: Tue Dec 16, 2008 8:31 pm
by josh
If you salt + hash the password and store used salts to detect repeated salt attempts as hacks ( playbacks ), you can rule out reverse engineering and playback exploits, but each salted hash lets an attacker rule out a large # of possible brute force options