Client side password encryption using md5.js and decryption in PHP

javascript php hash
11,247

Solution 1

You want to protect the plain text password from a "man in the middle", which is listening the network traffic. Unfortunately it is not possible to prevent this with client-side java-script, because the attacker can see the sent java-script as well and would also be able to simply remove this script from the request.

The only reliable way to protect the transfer of the password is using HTTPS with SSL encryption. This also only works because a secret is already shared (the certificates installed within your browser).

Client-side hashing can have it's purpose as well, but never replaces server-side hashing. You can transfer CPU power used for hashing to the client. On the server side you would have to hash again, but with fewer rounds.

Solution 2

Hang on a minute here.

This is just a bad idea (I can think of other adjectives here but will limit myself to BAD).

Anybody can read your page source with any browser, so what do I see if I do that....

  1. I now know that you are using MD5 to hash your passwords on your database (let's ignore how bad MD5 is for now)
  2. And lo and behold I also know the SALT that you are using!

Why not just give me your bank account number and PIN code, and for good measure the keys to your house and car!

I assume you don't have a boat or you would have drowned by now!

Don't try and do this in the browser, the only secure way is to use SSL.

Solution 3

Password encryption is needed because of password trace will be stored in browser memory on your computer when you make submission. If a hacker get access to your computer, with a widely available tool, your stored data will be exposed.

The remedy for that is to make it harder for the hacker to get hold of your password...

There are two things to remember: 1) submit via form 2) submit via ajax

In both cased it is important that you control the character encoding of your submission and make sure your server character encoding is in synch with your application web page.

If you do not control the encoding, then your ajax call may end up with different set of encoding than your submission via form and hence your decoding will not be easy.

Once you have them under control then use code in what ever language you want to decode... however, you need to keep a reference of salt and stringit on server side.. and you need to randomly generate different set of strings on each page you provide for users.

one way to do it is by including them in form as hidden inputs.. but you need to remove the inputs on the fly from the form right before you allow the form to proceed with submission.

Share:
11,247
VPR
Author by

VPR

Updated on June 04, 2022

Comments

  • VPR
    VPR about 2 years

    I am using a form with user and password fields in that I need to encrypt the password before sending the form to the server for validation. For that I am using md5.js for encryption on client side using the salt information.

    test.php

    <script LANGUAGE="Javascript" SRC="js/md5.js"></script>
<script>
    function encryptPwd1(strPwd, strSalt, strit) {
        var strNewSalt = new String(strSalt);
        if (strPwd == "" || strSalt == "")
        {
            return null;
        }
        var strEncPwd;
        var strPwdHash = MD5(strPwd);
        var strMerged = strNewSalt + strPwdHash;
        var strMerged1 = MD5(strMerged);
        return strMerged1;
    }
    function validateForm(strSalt, strit) {
        var strEncPwd = new String(encryptPwd1(document.getElementById("password").value, strSalt, strit));
        document.getElementById("password").value = strEncPwd;
        document.login.submit();
        return true;
    }
</script>
<form method="post" action="test1.php">
    <input type="hidden" 
           name="salt"
           id="salt"
           value="8qadr4xnCPW275BaNpYX">
    <label class="login">Password:</label>
    <input
        name="password"
        id="password"
        type="password" />
    <input type="submit"
        name="gos"
        id="gos"
        value="Login"
        onClick="return validateForm('8qadr4xnCPW275BaNpYX','38');">
</form>

    This is the form which contains the client encryption using JavaScript and md5.js. I can successfully encrypt the message and send it to test1.php in that test1.php. I don't know how to decrypt the text please help me.

  • VPR
    VPR almost 10 years
    i am just doing this for learning purpose can any one teach me how?
  • RiggsFolly
    RiggsFolly almost 10 years
    But my point is there is nothing to learn from what you are doing other than it is a very bad idea and has no place in any system.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Update value in MySQL via AJAX/PHP when a dynamically created checkbox is clicked?
TCPDF open links in new tab/window
Laravel 5.2 Javascript call with blade parameter
How to stop an animation in canvas?
Sending data to php page using ajax and get response and show in fields
Checking if username is available before submitting a form
Return confirm cancel button not working
How to serve a .JPG for browser that not support .webp in a proper way?
How to properly store a PBKDF2 password hash
How to pass variables from PHP to Javascript using Ajax calls