Welcome to WebmasterWorld Guest from 54.226.23.160

Forum Moderators: open

Message Too Old, No Replies

Why plaintext password cookie?!

Possible security risk

     
8:48 am on Sep 15, 2002 (gmt 0)

Junior Member

10+ Year Member

joined:July 13, 2002
posts:133
votes: 0


I looked through my cookies with Mozilla today:
Why does this forum set a cookie with my password in it in plaintext? :o
That means anyone who has physical access to this computer for a minute or gains access through trojans etc can read my password here. Also, if you ever have a cross-site scripting problem in the forum (public able to insert JavaScript code somewhere on the page, like found with phpBB, YaBB and other forum scripts in the past), or a new browser error that allows reading foreign cookies is found, which has also happened several times in the past (example for IE [neworder.box.sk], example for Konqueror [neworder.box.sk] from 3 days ago), anyone can get my password.

That's, mildly said, totally unnecessary and a risk one should at the very least be warned of when one signs up so no sensitive password is used here (if there is such a warning, it's not visible enough, I don't remember any)!

Why don't you save the pw as MD5 hash or similar 'one-way encryption' as any basic web security tutorial will implore you?

9:54 am on Sept 15, 2002 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Apr 5, 2002
posts:1510
votes: 0


Brett has been on record (and I agree) saying that encrypted cookies are easy to break. The data here isn't too sensitive like finances and encrypting the cookie just adds more complications for very little security.

Chris

p.s. nice find though. I'm glad I'm not the only one to analyse cookies. I feel kinda more sane at the minute.

11:01 am on Sept 15, 2002 (gmt 0)

Junior Member

10+ Year Member

joined:July 13, 2002
posts:133
votes: 0


I'm not proposing encryption, I'm proposing a non-reversible hash algorithm. This could be only cracked by brute force, and that only if you have a few thousand years of spare time (of course still depending on you to chose a password thats not in the dictionary or otherwise common).

"[The MD5 message-digest algorithm] algorithm takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. It is conjectured that it is computationally infeasible to [...] produce any message having a given prespecified target message digest."
[faqs.org...]

MD5 functions are built-in in mySQL [mysql.com] and PHP [php.net] and availible for most other languages [userpages.umbc.edu].

That would be as easy as setting the cookie with this...
$cookiepw = md5($password);
...and doing user identification like this...
if ($cookiepw == md5($databasepw))

I use md5 for identification cookies on my own sites and it's being used by default with board systems like vBulletin (who in current versions not even store your password in plaintext in the DATABASE, only as md5-hash, so not even the admin can view your pw). MD5 is also in use in PGP and hundreds of other applications and scripts.

It's really neither insecure nor difficult to implement.

12:08 pm on Sept 15, 2002 (gmt 0)

Administrator from US 

WebmasterWorld Administrator brett_tabke is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 21, 1999
posts:38196
votes: 90


Short story - agreed it needs to change. It's on the list. I won't go to something super complex or that uses excessively intensive stuff like md5 (stuff like that kills sites - no modules are used here other than default perl 5). I would do a very simple hash (one regex) that was quick to encode and quick to decode. Speed is the primary concern. Crypt and all the other encoding stuff are far too processor intensive.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members