[eluser]Unknown[/eluser]
Hi, i'm new to CodeIgniter and i'm just learning things as i go. Sorry for my english, it's kinda bad
You got nice library here.
What do you guys think about a login-system that doesn't send usernames nor passwords as plaintext thru the internet?
I have done a login-system that uses javascript at client-side to make a md5-hmac-hash from password and unique challenge-key. Everytime a user comes to a login-page, the server sends him a random-generated challenge-key (at server-side we store this key to the database). Javascript uses this unique challenge-key and user input (=password) to create a md5-hmac-hash. Then we send that crypted-hash to the server.
At server-side i'm doing again that same md5-mhac-hash-string with PHP, using same unique challenge-key (we stored it to the db earlier) and the real password from the database. If client-side md5-hmac-hash and server-side md5-hmac-hash matches then we have a valid user. After the user is authenticated succesfully we just do sessions (i'm storing sessions to a db) as usual and delete the challenge-key.
Advantages:
+ password is not send in plaintext
+ hacking password is much more challenging for crackers, script-kiddies might pass by
+ challenge-key is used only one time
+ password is not md5-hash so cracker can't use md5-hash-lists to bruteforce the password.
Disadvantages:
- it's not SSL
- at server-side, we need to get passwords from the database, so we can create that server-side md5-hmac-hash. Currently i'm using blowfish to crypt passwords in db. One-way crypting would be safer.
- If user disables javascript, well can't help him. He can't login.
- if a cracker gets a challenge-key and crypted md5-hmac-hash from a valid user, he might do some bruteforcing and figure out the user's password some day. But it's not that simple as getting plaintext password or md5-password.
I currently have working login-system at my test-site, using methods i described here. I'm planning to make a ci-library from it.. i just don't know how yet.
Gimme feedback, what do you guys think about doing hashes at client-side javascript? Is it worth the coding or should i consider SSL?
Well, next option is to enable SSL on my site and do all logins and stuffs via SSL but i would hate to use user-made-certificates. Those are so annoying to users and shows that i'm a poor man who can't affort a real certificate