Please Help with this Password Script .. Im Confused !!!

Hi,

I am new to Javascript, and spend all my time reading, and trying to
learn Javascript.

I managed to find this free password script, but I cant work out how
to access the password page.

The script is free:

http://www.planet-source-code.com/v...&lngWId=14&txtForceRefresh=725201119393874427


I cant work out what the password is, or how to change it for my
website.
There is no documentation, to explain how it works.

Can anybody work it out?


I tried ringing the software creator, but the line is dead.

Can anyone help please?
Life is Good !!!

 

The passwords are represented by script files. E.g. if there is a file
called jake123.js (as indeed there is in the test package) the user name
"jake" and password "123" will pass -- as will user name "jak" with
password "e123". The contents of these files determine the target page.

BUT! Don't use this method and don't use this script in particular --
it provides zero security. As a first step towards alternatives, read
up on HTTP authentication.

<snip>

 

Ritchie Valens wrote on 26 jul 2011 in comp.lang.javascript:

Do not use clientside scripts for passwords. Anyone reading the script can
find out the paqssword, or even "better", a way around the password.

Passwords should be autenticated on the server.

Secondly never use password autentication scripts you do not understand,
how would you know they are safe?

Free can be very expensive for the above reasons.

===========

The only way I know to get some but very small measure of security without
serverside code, is to use a secret url filename:

<form
onsubmit = 'location.href= this.pw.value +
".html";return false;'>
<input type='password' name='pw'> password
<br>
<input type='submit'>
</form>

 

Hmm, I had a thought.

Supposing you store some text files on a server, each text file contains
a json encoded string of the form

[{"p":"p0","u":"u0"},{"p":"p1":"u":"u1"},{"p":"p2":"u":"u2"}]

works like this:

read the "userkey" in a script, convert it to a url, request that url
using an xhr, JSON.parse it, then if the password given matches a p, load
the appropriate page url u.

It's security by obscurity, as soon as the "userkey" is compromised, it
falls apart, and anyone reading the code will see a means of brute-
forcing to obtain the password file.

You could use any phrase as the user key if you checksum it (eg http://
pajhome.org.uk/crypt/md5/) as part of generating the password file url,
this will make such brute forcing a bit harder.

Still an absolutely crap security model, but it might keep the parents
away from the risque photos of the girlfriend for a couple of days.

Rgds

Denis McMahon

 

Ben,

Thankyou so much for that information.

I was starting to think that the Var statement added up to make a
third word.

But thats great to know.


I have started using newsgroups again after many years, and there is
so much spam, but now All of you have responded, I will stay in this
Newsgroup

Regards

Life is Good !!!

 

Evertjan,

Thankyou for your careful advice.

Much appreciated


Regards

Life is Good !!!

 

Denis,

Your information makes sense, but because I am still learning
Javascript, a lot of it is above my hear.

Thankyou for your responsetho, I will re-read the info that you
posted.

Regards

Life is Good !!!

 

Denis McMahon wrote on 26 jul 2011 in comp.lang.javascript:

"security by obscurity" makes no sense, it is no security at all.

And more:
If you puplicize the ueserkey,
and can read the stream on the web you plan to download by JSON,
and can read the clientside javascript method,
what obscurity is left?

Even more:
Why take the risk of walking on a motorway when cars are available?

Use serverside programming and serverside databases.

 

I am learning Javascript, and I have messed with cgi also.

I know that people say PHP is alo worth learning, or being familiar
with.

Regards

Life is Good !!!

 

You are much too reserved and understated. This should read:

"Never use scripts you do not understand."

As well as the possibility you mention of the code being unsafe (or
ineffective, inefficient, etc.), one must also consider the lifetime costs
of maintaining such code.

And I'm using the word "maintaining" very loosely here. It is more akin to
re-adapting the code by trial-and-error to meet new requirements. (Emphasis
on "error").

 

Ritchie Valens wrote on 26 jul 2011 in comp.lang.javascript:

Javascript and vbscript can be used serverside on an asp platform.

PHP is the native serverside script language of linux servers.

So take your pick.

Serverside Javascript is the only one on topic on this NG,
and has the dual advantage of using the same function blocks both
serverside and clientside.

PHP is a Javascript lookalike, seen from a distance.

 

Mike Duffy wrote on 26 jul 2011 in comp.lang.javascript:

I do not need another's code for that. I can do that with my own code of
one year back easily, not understanding at all how and why it worked and
still works as was required then.

Rewriting essential parts of such code is fun, more fun than adaptation.

Evenso, as I use Dutch descriptive variable names, I have less difficulty
preventing the use of reserved words than many of you, and understanding
those names next year.

 

In comp.lang.javascript message <[email protected]

Assume that anything offered for nothing on the Web is likely at best to
be trash, unless the author is clearly identifiable, with a good
reputation and some apparent reason for making the offer.

For real security, the password typed should be run through a one-way
function before being transmitted, and another one-way function before
being stored. A site which can tell you your lost password cannot be a
secure site.

However, true security is often not needed. A garden shed can be
protected, if in a visible and audible location, against mischievous
small children by using an ordinary padlock. More is needed to protect
against a gang of youths with chain-saws. Much more is needed if the
military really wants to get in or to destroy the contents.

A lock serves its purpose when it is though to be not worth trying to
open or break it.

 

Dr J R Stockton,

Great point

Regards

Life is Good !!!