MD5 in Javascript
20th April 2003
One of the things that has always bugged me about creating login forms for web based applications is that the password is passed in clear text when the user logs in. Even if you then set a session cookie of some sort for future access the password has stilled been transmitted unencrypted at least once.
The obvious way around this is to use https
, but for the vast majority of sites this isn’t an option. Enter Javascript MD5—an implementation of the cryptographically secure MD5 hashing function in Javascript. This can be used to build a CHAP login system where the client sends the MD5 of the password appended on to a challenge string, which the server can then recalculate and compare (all without the password being transmitted from client to server).
The author links to implementations of this idea in various languages, and implementing it from scratch in PHP is quite trivial. With a bit of care the system can be set up so that browsers with no javascript support submit the password normally, while those with javascript send only the hash.
A modified version of the system is used by Yahoo’s Login Page, so it is certainly feasible for deployment in a commercial environment. Obviously an https
encrypted session is far more secure, but for non-ecommerce web applications this technique is a no-brainer.
More recent articles
- OpenAI DevDay: Let’s build developer tools, not digital God - 2nd October 2024
- OpenAI DevDay 2024 live blog - 1st October 2024
- Weeknotes: Three podcasts, two trips and a new plugin system - 30th September 2024