Why plaintext password cookie?! - WebmasterWorld Community Center forum at WebmasterWorld - WebmasterWorld

Forum Moderators: open

Message Too Old, No Replies

Why plaintext password cookie?!

Possible security risk

c3oc3o

8:48 am on Sep 15, 2002 (gmt 0)

10+ Year Member

I looked through my cookies with Mozilla today:
Why does this forum set a cookie with my password in it in plaintext? :o
That means anyone who has physical access to this computer for a minute or gains access through trojans etc can read my password here. Also, if you ever have a cross-site scripting problem in the forum (public able to insert JavaScript code somewhere on the page, like found with phpBB, YaBB and other forum scripts in the past), or a new browser error that allows reading foreign cookies is found, which has also happened several times in the past (example for IE [neworder.box.sk], example for Konqueror [neworder.box.sk] from 3 days ago), anyone can get my password.

That's, mildly said, totally unnecessary and a risk one should at the very least be warned of when one signs up so no sensitive password is used here (if there is such a warning, it's not visible enough, I don't remember any)!

Why don't you save the pw as MD5 hash or similar 'one-way encryption' as any basic web security tutorial will implore you?

chris_f

9:54 am on Sep 15, 2002 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Brett has been on record (and I agree) saying that encrypted cookies are easy to break. The data here isn't too sensitive like finances and encrypting the cookie just adds more complications for very little security.

Chris

p.s. nice find though. I'm glad I'm not the only one to analyse cookies. I feel kinda more sane at the minute.

c3oc3o

11:01 am on Sep 15, 2002 (gmt 0)

10+ Year Member

I'm not proposing encryption, I'm proposing a non-reversible hash algorithm. This could be only cracked by brute force, and that only if you have a few thousand years of spare time (of course still depending on you to chose a password thats not in the dictionary or otherwise common).

"[The MD5 message-digest algorithm] algorithm takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. It is conjectured that it is computationally infeasible to [...] produce any message having a given prespecified target message digest."
[faqs.org...]

MD5 functions are built-in in mySQL [mysql.com] and PHP [php.net] and availible for most other languages [userpages.umbc.edu].

That would be as easy as setting the cookie with this...
$cookiepw = md5($password);
...and doing user identification like this...
if ($cookiepw == md5($databasepw))

I use md5 for identification cookies on my own sites and it's being used by default with board systems like vBulletin (who in current versions not even store your password in plaintext in the DATABASE, only as md5-hash, so not even the admin can view your pw). MD5 is also in use in PGP and hundreds of other applications and scripts.

It's really neither insecure nor difficult to implement.

Brett_Tabke

12:08 pm on Sep 15, 2002 (gmt 0)

WebmasterWorld Administrator

10+ Year Member

Top Contributors Of The Month

Short story - agreed it needs to change. It's on the list. I won't go to something super complex or that uses excessively intensive stuff like md5 (stuff like that kills sites - no modules are used here other than default perl 5). I would do a very simple hash (one regex) that was quick to encode and quick to decode. Speed is the primary concern. Crypt and all the other encoding stuff are far too processor intensive.