logins with no SSL?

[Toby A Inkster]

Well, it wouldn't really be twice the code... May be some extra
JavaScript code, but basically, the JavaScript would hash the password.
If JavaScript is not available, it would just do it the regular way.
I can cut and paste the JavaScript code to hash the password.

Of course you need to send a unique salt with every login form. Otherwise
the hashing is pointless as the hash of the password effectively becomes a
password which is passed in clear text.

 

[Randy Lawrence]

Doug wrote:




Yep, and just about EVERY site sends you passwords in plain email.

Spose it depends what you're doing, protecting the crown jewels or running
a forum?

I like many don't use SSL for logins, butI'm not looking after the crown
jewels.

As ever though, don't put anything precious on the web.

You probably know this already so I'll post for the benefit of others
who may not.

Just because a logon page doesn't indicate SSL visibly (closed lock or
HTTPS in the url) doesn't mean it doesn't use SSL to submit the logon
info to the server.

It is possible that some sites don't use SSL for the logon page *BUT*
the info entered into the form is submitted using SSL using an https URL.

The only was to tell is to do a VIEW SOURCE on the logon page to see how
it is submitted.