Security On GET

Discussion in 'HTML' started by Martin Cunningham, Jul 18, 2003.

  1. Hi. I've a form the has a password filed in it. How can I encrypt it so when
    i use a get it doesn't show what the actual password is but in stead a
    jumble of rubbish that can be sorted out in the next file?
    Thanks.

    --
    Martin Cunningham.
    Macro-Tek
    http://www.macro-tek.cjb.net/
    Martin Cunningham, Jul 18, 2003
    #1
    1. Advertising

  2. Martin Cunningham

    rf Guest

    "Martin Cunningham" <> wrote in message
    news:bf7pu4$3g6$...
    > Hi. I've a form the has a password filed in it. How can I encrypt it so

    when
    > i use a get it doesn't show what the actual password is but in stead a
    > jumble of rubbish that can be sorted out in the next file?
    > Thanks.


    You can't. You should be using method="post" and SSL.

    Cheers
    Ricard.
    rf, Jul 18, 2003
    #2
    1. Advertising

  3. Martin Cunningham

    Rob McAninch Guest

    rf <news:RUJRa.1269$>:

    > "Martin Cunningham" <>:
    >> Hi. I've a form the has a password filed in it. How can I
    >> encrypt it so when i use a get it doesn't show what the
    >> actual password is but in stead a jumble of rubbish that can
    >> be sorted out in the next file? Thanks.


    The client would have to encrypt the password before sending it,
    the browser isn't going to do that automatically. So the client
    would have to type the 'jumble of rubbish' instead of the
    'password', but now the jumble is transmitted in the open - and
    effectively _is_ the password.

    > You can't. You should be using method="post" and SSL.


    Yup. The whole transaction has to be encrypted, not just a piece
    of it.

    --
    Rob - http://rock13.com/
    Web Stuff: http://rock13.com/webhelp/
    Rob McAninch, Jul 18, 2003
    #3
  4. On Fri, 18 Jul 2003 05:53:02 +0000, Rob McAninch wrote:

    > The client would have to encrypt the password before sending it,
    > the browser isn't going to do that automatically. So the client
    > would have to type the 'jumble of rubbish' instead of the
    > 'password', but now the jumble is transmitted in the open - and
    > effectively _is_ the password.


    Well, not neccessarily. The server would just need to send a unique
    "salt" each time it asked for the password. The password and salt would be
    concatenated together and then hashed. This hash could be used to log in,
    but if intercepted would not be any use because it is unlikely that the
    same salt would be sent next login.

    --
    Toby A Inkster BSc (Hons) ARCS | mailto: | pgp:0x6A2A7D39
    aim:inka80 | icq:6622880 | yahoo:tobyink | jabber:
    http://www.goddamn.co.uk/tobyink/ | "You've got spam!"
    playing://(nothing)
    Toby A Inkster, Jul 18, 2003
    #4
  5. Martin Cunningham

    Rob McAninch Guest

    Toby A Inkster
    <news:p>:

    > On Fri, 18 Jul 2003 05:53:02 +0000, Rob McAninch wrote:
    >
    >> The client would have to encrypt the password before sending
    >> it, [...] but now the jumble is transmitted in the open - and
    >> effectively _is_ the password.

    >
    > Well, not neccessarily. The server would just need to send a
    > unique "salt" each time it asked for the password. The
    > password and salt would be concatenated together and then
    > hashed. This hash could be used to log in, but if intercepted
    > would not be any use because it is unlikely that the same salt
    > would be sent next login.


    Hm, I see how that would work. The client would still have to do
    the hash correct? So it would take some extra software, and
    couldn't be for general use (like SSL could be) as I understand
    it.

    --
    Rob - http://rock13.com/
    Web Stuff: http://rock13.com/webhelp/
    Rob McAninch, Jul 20, 2003
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Aaron
    Replies:
    1
    Views:
    339
    John C. Bollinger
    Aug 4, 2003
  2. Marco
    Replies:
    1
    Views:
    2,402
    Roedy Green
    Jan 28, 2006
  3. Akram Baig
    Replies:
    0
    Views:
    320
    Akram Baig
    Apr 7, 2011
  4. Dinis Cruz

    Asp.Net Security Analyser (new security tool by DDPlus)

    Dinis Cruz, Oct 8, 2003, in forum: ASP .Net Security
    Replies:
    2
    Views:
    128
    Dinis Cruz
    Oct 11, 2003
  5. Michael Randrup
    Replies:
    3
    Views:
    289
    Henning Krause [MVP]
    Mar 27, 2006
Loading...

Share This Page