Jump to content

is javascript encryption for a login system safe?


WesleyA

Recommended Posts

Hi all

 

I would like to know whether it is possible or not to build a secure inlog script. The script I have as example is mainly in php.

 

I read a couple of tuts online and watched some youtube video's and discovered that both javascript and php are used.

 

I dont know much about encryption but more and more questions are rising .....

 

Is it true that it is possible to add javascript encryption wen you want a user to login ?

 

My own idea is that this looks quite insecure as anybody can see the encryption code.

 

 

I have more questions but first i would like to know this if possible.

Link to comment
Share on other sites

I think it is a fun idea to play with but the only solution that is considered secure is the use of a security certificate, and even the certificate system is being hacked on a regular basis though the use of bogus or stolen certificates.

Link to comment
Share on other sites

 

And how vast is ' a multitude ' according to you?

 

I don't have the statistics but ordinary low-cost shared-hosting accounts can't use certificates unless they use the shared server certificate.

Link to comment
Share on other sites

Shared hosting accounts can use certificates, it's just that people don't bother to buy them. Certificates go by domain name, not by server.

Link to comment
Share on other sites

And, no, Javascript encryption is pointless. When you either hash or encrypt data that you're saving in a database that should only be done on the server, not in the browser.

 

I see.

 

For me the entire matter is still a bit perilous.

 

But if I use html and the password attribute and have that sent by SSL/TSL towards the server and store the password encrypted in the database then it is safe?

 

I'm asking this because I'm looking for the right method. If there is one; at least. (there could be more namly)

Link to comment
Share on other sites

  • 2 weeks later...

Is it safe from what? What specifically are you trying to protect against? It's safe against man-in-the-middle attacks if you're using an SSL certificate from a recognized CA. It's not safe if someone gets into your server and takes your code and database.

 

In general, you want to hash passwords that are stored on the server, not encrypt them.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...