javascript - Client side 100% secure password POST -


I came to avoid sniffing posts to steal the password with this principle. This idea is to add a salt string (generated at random php session_start ()).

Please enter here

Please note Give, salt_hash is randomly generated on every access ... it is not done in the customer's favor.

Basically the JS code will be added to HTML: 

    
 So before posting it, I'll calculate ...  
  cryptoPass = md5 (md5 (password) + salt_hash); passowrd = ''; // Clear user password input submitted postage ...; Then at login.php I compare $ 5 _POST ['cryptoPass'] with MD5 (mysql user password stored with MD5, plus salt_hash)   < p> Does it really work or is this a nonsense?   
 
 
 First of all, I will start with a side note, the first rule is to create your own crypto And does not attempt to use there are professionals who are very good at making crotos algorithms, and people are still able to crack them.  
 Your plan does not really add much security to this plan if an attacker knew that you were calculating swans with this:  
 
 cryptoPass = md5 ( md5 (password) + salt_hash);   
 Use the same algorithm if they knew the salt value. It does not add almost any security because it takes approximately equal time to crack:  
 
 cryptoPass = md5 (password + salt);   
 Cracking algorithm because it is the same complexity at the same time  
 The best solution here is to just use TLS, which is easily implemented.  
 and  Context of client side 100% safe  Insert anything   is unreal, unfortunately 100% there is no way to secure something. If man has made it, then with enough time, this man can crack it.  
 
  Why it is bad to use hashing + salt on the client side as an encryption mechanism:   
 Suppose you use random hashing As you have mentioned, the client starts the login sequence with the server and the server sends it the salt value:  
 
 718904732197   
 The attacker is now using salt Know the value now, the customer keeps his password using his hashing function:  
 
 cry PtoPass = md5 (md5 (password) + salt_hash);   
 The salt hash is random, but it is known and algorithm, by which an attacker uses a simple brute force algorithm to cut the hash (this is the simple 6 digit passwords for seconds to circumvent Will take the case). They can also use dictionary attacks against rainbow table and hash to increase cracking speed.  
 An attacker will produce a hash by using your known work:  
 
 cryptoPass = md5 (md5 (password) + salt_hash);   
 And they already know the salt value, they will remove the password from the hash using the brush force. Now they have a clear text password and probably have a username so that they can now enter that user's account.  
 
 Perhaps it will help you:  
 Is it better to have no security? Yes  
 Hashing is better than hashing alone? Yes  
 Is using a random salt value more secure? Yes, to an extent  
 All this aside, the scheme you are using is not safe from today's standards. Your entire algorithm in an experienced cracker can be in just a few hours.

Comments

Post a Comment

Popular posts from this blog

Verilog Error: output or inout port "Q" must be connected to a structural net expression -

I get the error every time, I try to compile. I'm not sure why anyone can help is? I'm new to verilog. Module D_FF (clerk, d, reset_n, q); Input D, Clack, reset_en; Output Q; reg Q; lab4_gdl f1 (.lk (~ clk), d (d), .q.m (qm)); lab4_GDL f2 (.Clk (Clk), D (QM), .Q (Q)); Always start at @ (posedge clk, neggeous reset_n) (Reset_n == 0) Q & lt; = 0; Other questions & lt; = D; Edit End: The problem is what we are asking to do: In this section, you apply the memory / registration circuit on the AlterEdie 2 board. will do. The circuit has the following specifications: The present value of swift SW15-0 on the D2 board should be shown in four hexadecimal four sections of HEX3-0. This part of the circuit will be combination logic. To use an active-less asynchronous reset and KEY1 to use KEY0 as the clock input, you must store SW15-0in in a 16-bit register in the value The register should be enabled to have a 16-bit positive edge, which uses the embedded D flip-flo
Read more

jasper reports - How to center align barcode using jasperreports and barcode4j -

I use iReport 5.5.0 . How to align a barcode component to the center The relevant piece of my jrxml is below & Lt; JR: Code 128 xmlns: JR = "http://jasperreports.sourceforge.net/jasperreports/components" xsi: schemaLocation = "http://jasperreports.sourceforge.net/jasperreports/components http: //jasperreports.sourceforge Purge / xsd / components.xsd "textPosition =" bottom "& gt; & Lt; Jr: codeExpression & gt; & Lt; [CDATA [$ F {number}]] & gt; & Lt; / Jr: codeExpression & gt; & Lt; / Jr: Code 128 & gt; & Lt; / componentElement & gt; "Text" itemprop = "text"> Create a style after this, it is called "barcode", like: & lt; Style name = "barcode" fontName = "Helvetica" fONTSIZE = "10" hAlign = "center" valign = "center" /> and set the property of your barcode element to "barcode".
Read more

c# - ASP.NET MVC - Attaching an entity of type 'MODELNAME' failed because another entity of the same type already has the same primary key value -

In brief, the wrapper module is inserted during posting and the status of an entry is changed to 'modified' . Before changing the state, the state is set to 'separate', but calling attachments () causes the same error to be thrown away. I am using EF 6. Model / wrapper class public class avi model {public A is a {get; Set; } Public listing & lt; B & gt; B {received; Set; } Public cc {receipt; Set; }} Administrator edit public functioning (int? id) {if (id == null) {new HttpStatusCodeResult (HttpStatusCode.BadRequest); } If (! Conveyor Access (id.Value)) new HTTPTitus code result (HTTP status code. Forbidden); Var aViewModel = new AViewModel (); aViewModel.A = db.As.Find (id); If (aViewModel.Receipt == zero) {return HttpNotFound (); } aViewModel.b = db.Bs.Where (x => x.aid == id.Value) .Oolist (); AViewModel.Vendor = db.Cs.Where (x => x.cid == aViewModel.a.cID) .FirstOrDefault (); See Return (aViewModel); } [HTPFost] [Valid AntitiferousTeacon
Read more