MD5 in Javascript
20th April 2003
One of the things that has always bugged me about creating login forms for web based applications is that the password is passed in clear text when the user logs in. Even if you then set a session cookie of some sort for future access the password has stilled been transmitted unencrypted at least once.
The obvious way around this is to use https
, but for the vast majority of sites this isn’t an option. Enter Javascript MD5—an implementation of the cryptographically secure MD5 hashing function in Javascript. This can be used to build a CHAP login system where the client sends the MD5 of the password appended on to a challenge string, which the server can then recalculate and compare (all without the password being transmitted from client to server).
The author links to implementations of this idea in various languages, and implementing it from scratch in PHP is quite trivial. With a bit of care the system can be set up so that browsers with no javascript support submit the password normally, while those with javascript send only the hash.
A modified version of the system is used by Yahoo’s Login Page, so it is certainly feasible for deployment in a commercial environment. Obviously an https
encrypted session is far more secure, but for non-ecommerce web applications this technique is a no-brainer.
More recent articles
- Gemini 2.0 Flash: An outstanding multi-modal LLM with a sci-fi streaming mode - 11th December 2024
- ChatGPT Canvas can make API requests now, but it's complicated - 10th December 2024
- I can now run a GPT-4 class model on my laptop - 9th December 2024