WesleyA Posted April 20, 2016 Share Posted April 20, 2016 Hi all I would like to know whether it is possible or not to build a secure inlog script. The script I have as example is mainly in php. I read a couple of tuts online and watched some youtube video's and discovered that both javascript and php are used. I dont know much about encryption but more and more questions are rising ..... Is it true that it is possible to add javascript encryption wen you want a user to login ? My own idea is that this looks quite insecure as anybody can see the encryption code. I have more questions but first i would like to know this if possible. Link to comment Share on other sites More sharing options...
davej Posted April 20, 2016 Share Posted April 20, 2016 I think it is a fun idea to play with but the only solution that is considered secure is the use of a security certificate, and even the certificate system is being hacked on a regular basis though the use of bogus or stolen certificates. Link to comment Share on other sites More sharing options...
Ingolme Posted April 20, 2016 Share Posted April 20, 2016 It is not safe. If you want your data to be safe you must have an SSL certificate on your server. Link to comment Share on other sites More sharing options...
justsomeguy Posted April 20, 2016 Share Posted April 20, 2016 And, no, Javascript encryption is pointless. When you either hash or encrypt data that you're saving in a database that should only be done on the server, not in the browser. Link to comment Share on other sites More sharing options...
davej Posted April 21, 2016 Share Posted April 21, 2016 I still think the current situation is bad. We have a multitude of plain-text passwords flowing around the net. Link to comment Share on other sites More sharing options...
Ingolme Posted April 21, 2016 Share Posted April 21, 2016 That's what SSL was invented for. They're not plain text when transmitted over HTTPS. Link to comment Share on other sites More sharing options...
WesleyA Posted April 22, 2016 Author Share Posted April 22, 2016 I still think the current situation is bad. We have a multitude of plain-text passwords flowing around the net. And how vast is ' a multitude ' according to you? Link to comment Share on other sites More sharing options...
dsonesuk Posted April 22, 2016 Share Posted April 22, 2016 According to latest estimates its as long as a piece of string. Link to comment Share on other sites More sharing options...
davej Posted April 22, 2016 Share Posted April 22, 2016 And how vast is ' a multitude ' according to you? I don't have the statistics but ordinary low-cost shared-hosting accounts can't use certificates unless they use the shared server certificate. Link to comment Share on other sites More sharing options...
Ingolme Posted April 22, 2016 Share Posted April 22, 2016 Shared hosting accounts can use certificates, it's just that people don't bother to buy them. Certificates go by domain name, not by server. Link to comment Share on other sites More sharing options...
WesleyA Posted April 23, 2016 Author Share Posted April 23, 2016 According to latest estimates its as long as a piece of string. Link to comment Share on other sites More sharing options...
WesleyA Posted April 23, 2016 Author Share Posted April 23, 2016 And, no, Javascript encryption is pointless. When you either hash or encrypt data that you're saving in a database that should only be done on the server, not in the browser. I see. For me the entire matter is still a bit perilous. But if I use html and the password attribute and have that sent by SSL/TSL towards the server and store the password encrypted in the database then it is safe? I'm asking this because I'm looking for the right method. If there is one; at least. (there could be more namly) Link to comment Share on other sites More sharing options...
justsomeguy Posted May 4, 2016 Share Posted May 4, 2016 Is it safe from what? What specifically are you trying to protect against? It's safe against man-in-the-middle attacks if you're using an SSL certificate from a recognized CA. It's not safe if someone gets into your server and takes your code and database. In general, you want to hash passwords that are stored on the server, not encrypt them. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now