Newbie question alert !! Passwords

Forum Moderators: phranque

Message Too Old, No Replies

Newbie question alert !! Passwords

How to encrypt a password client side, and decrypt server side

neil laurance

2:51 pm on Jul 31, 2001 (gmt 0)

I'm sure you've all seen this question before, if so flame away ;)

An application I am working to improve sends a password across to the server in unencrypted form, so that examining the QUERY_STRING variable, the password can be seen plainly. I was wondering if there is a simple way to encrypt a password client side using Javascript, and then unencrypt using Perl on the server side?

Thanks for any advice

toadhall

5:13 pm on Jul 31, 2001 (gmt 0)

If the query string can be seen it suggests the name/value pair is being appended to the url. If that's the case you're using the wrong method for sending the password. Use the POST method in your form, not GET, nor any client-side scripting that appends the n/v pair.

ggrot

5:46 pm on Jul 31, 2001 (gmt 0)

You really should be using a secure connection. Check out verisign.com, or ask your provider for more information. Anything less and the encryption can generally be reversed, although there are ways of making it harder.

If you dont want to go this (somewhat expensive) route, you could have some javascript that takes the string, changes the characters with some kind of rough encryption, then submits. The CGI on the other end would then decrypt it. The problem is choosing a safe encryption method. Basically, anything you can choose could be seen by someone else. They could look at your encryption javascript source and would be able to determine the password.

neil laurance

8:48 am on Aug 1, 2001 (gmt 0)

Thanks for the information guys.

Cheers, NEIL