is javascript encryption for a login system safe?

[WesleyA 0]

Hi all

 

I would like to know whether it is possible or not to build a secure inlog script. The script I have as example is mainly in php.

 

I read a couple of tuts online and watched some youtube video's and discovered that both javascript and php are used.

 

I dont know much about encryption but more and more questions are rising .....

 

Is it true that it is possible to add javascript encryption wen you want a user to login ?

 

My own idea is that this looks quite insecure as anybody can see the encryption code.

 

 

I have more questions but first i would like to know this if possible.

[davej 251]

I think it is a fun idea to play with but the only solution that is considered secure is the use of a security certificate, and even the certificate system is being hacked on a regular basis though the use of bogus or stolen certificates.

[Ingolme 1,020]

It is not safe. If you want your data to be safe you must have an SSL certificate on your server.

[justsomeguy 1,135]

And, no, Javascript encryption is pointless. When you either hash or encrypt data that you're saving in a database that should only be done on the server, not in the browser.

[davej 251]

I still think the current situation is bad. We have a multitude of plain-text passwords flowing around the net.

[Ingolme 1,020]

That's what SSL was invented for. They're not plain text when transmitted over HTTPS.

[WesleyA 0]

I still think the current situation is bad. We have a multitude of plain-text passwords flowing around the net.

 

And how vast is ' a multitude ' according to you?

[dsonesuk 913]

According to latest estimates its as long as a piece of string.

[davej 251]

 

And how vast is ' a multitude ' according to you?

 

I don't have the statistics but ordinary low-cost shared-hosting accounts can't use certificates unless they use the shared server certificate.

[Ingolme 1,020]

Shared hosting accounts can use certificates, it's just that people don't bother to buy them. Certificates go by domain name, not by server.

[WesleyA 0]

According to latest estimates its as long as a piece of string.

[WesleyA 0]

And, no, Javascript encryption is pointless. When you either hash or encrypt data that you're saving in a database that should only be done on the server, not in the browser.

 

I see.

 

For me the entire matter is still a bit perilous.

 

But if I use html and the password attribute and have that sent by SSL/TSL towards the server and store the password encrypted in the database then it is safe?

 

I'm asking this because I'm looking for the right method. If there is one; at least. (there could be more namly)

[justsomeguy 1,135]

Is it safe from what? What specifically are you trying to protect against? It's safe against man-in-the-middle attacks if you're using an SSL certificate from a recognized CA. It's not safe if someone gets into your server and takes your code and database.

 

In general, you want to hash passwords that are stored on the server, not encrypt them.