MD5 in Javascript
20th April 2003
One of the things that has always bugged me about creating login forms for web based applications is that the password is passed in clear text when the user logs in. Even if you then set a session cookie of some sort for future access the password has stilled been transmitted unencrypted at least once.
The obvious way around this is to use https
, but for the vast majority of sites this isn’t an option. Enter Javascript MD5—an implementation of the cryptographically secure MD5 hashing function in Javascript. This can be used to build a CHAP login system where the client sends the MD5 of the password appended on to a challenge string, which the server can then recalculate and compare (all without the password being transmitted from client to server).
The author links to implementations of this idea in various languages, and implementing it from scratch in PHP is quite trivial. With a bit of care the system can be set up so that browsers with no javascript support submit the password normally, while those with javascript send only the hash.
A modified version of the system is used by Yahoo’s Login Page, so it is certainly feasible for deployment in a commercial environment. Obviously an https
encrypted session is far more secure, but for non-ecommerce web applications this technique is a no-brainer.
More recent articles
- Slop is the new name for unwanted AI-generated content - 8th May 2024
- Weeknotes: more datasette-secrets, plus a mystery video project - 7th May 2024
- Weeknotes: Llama 3, AI for Data Journalism, llm-evals and datasette-secrets - 23rd April 2024
- Options for accessing Llama 3 from the terminal using LLM - 22nd April 2024
- AI for Data Journalism: demonstrating what we can do with this stuff right now - 17th April 2024
- Three major LLM releases in 24 hours (plus weeknotes) - 10th April 2024
- Building files-to-prompt entirely using Claude 3 Opus - 8th April 2024
- Running OCR against PDFs and images directly in your browser - 30th March 2024
- llm cmd undo last git commit - a new plugin for LLM - 26th March 2024
- Building and testing C extensions for SQLite with ChatGPT Code Interpreter - 23rd March 2024