flat assembler
Message board for the users of flat assembler.

Index > Heap > new idea for better secure logging

Author
Thread Post new topic Reply to topic
vbVeryBeginner



Joined: 15 Aug 2004
Posts: 884
Location: \\world\asia\malaysia
vbVeryBeginner
hi, i just thought of an idea (i guess it is more secure).
i guess most of us sometime log to site which doesn't implement HTTPS, so our id and password are transffered in a way that (almost naked... my password is quite shy now).... i guess how bout we add a little simple thing which would make it more secure. (it could be browser implemented or site implemented or both)

md5(time+ur password) //php. md5(200510061859."mypassword");
// and we need tools to calculate md5 which is easy to build.
so, our password would change every minute. when server received login info from user, it would first get the password of the user from db based on his/her subbmited id (so, no need to md5 id), then server would md5(currenttime +- 1 minute."mypassword") and compare it which submitted md5 value, if either is true, then user is allowed to log in.

by implement it in browser and server part, things would get more easy and secure.

maybe privalov wanna try on this board, coz... my password is too naked... Very Happy
Post 06 Oct 2005, 11:03
View user's profile Send private message Visit poster's website Reply with quote
vbVeryBeginner



Joined: 15 Aug 2004
Posts: 884
Location: \\world\asia\malaysia
vbVeryBeginner
i guess by combining javascript with php... this is quite a secure way of logging.
Post 06 Oct 2005, 11:07
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Your idea is the same as the APOP command of POP3 protocol http://www.faqs.org/rfcs/rfc1939.html

I had the same idea sometime ago but using it to every hit on the site to prevent the session to be stolen. My idea was to sent on every response a new timestamp to be used on the next hit (and registering it in the session). Of course on every hit the password is transferred in a MD5 digest using the last timestamp the server gave to us.

Good luck with this!
Post 06 Oct 2005, 11:57
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17248
Location: In your JS exploiting you and your system
revolution
Yahoo! do this with their logon. Check the source at login it has MD5 code in Java.
Post 06 Oct 2005, 12:14
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.