20 replies to this topic

[DaveLegg]

Bear in mind that as you said, you just logged in. As part of the logging in process, you provided an unencrypted version of your password. It would be easy as part of the login process for them to check that against a stored list of weak passwords, and forward you on to a page warning you of its weakness, no need to be able to decrypt the stored password to do that.

[Haggis]

Maybe i am just being dumb here but

when you type in a username it automatically check to see if thats available using ajax/jquery for example

whats stopping it doing the same for passwords before its encrypted?

[+GreenMartian]

Another "maybe I am dumb" question here..

Isn't it the case that when you create a password, that it would be transmitted unhashed anyway? (plaintext - over SSL of course!) So the server receives it as plaintext and can easily do text comparison to a list of unsecure passwords?

Then when it saves it, it would salt+hash the password. When you login, it would do the same thing - transmit plaintext, then the server hashes it and compares it with the stored hash?

[n_K]

Right you are, it does send the password unencrypted! I always assumed it uses client-side javascript to MD5 it which is why I assumed it sent the details to an 'md5crum' page but it doesn't! Learn something new every day

[+Majesticmerc]

n_K, on 13 November 2012 - 15:05, said:

Right you are, it does send the password unencrypted! I always assumed it uses client-side javascript to MD5 it which is why I assumed it sent the details to an 'md5crum' page but it doesn't! Learn something new every day

Well they're using HTTPS so it's technically still secure... Right?

[n_K]

Majesticmerc, on 13 November 2012 - 22:28, said:

Well they're using HTTPS so it's technically still secure... Right?

Yep it's all secured over HTTPS but the password isn't MD5'd before it's sent so it can check if your password is weak or not.