UBB.Developers Forums UBB.classic V6.4 - 6.7 Modifications V6 Mod Ideas Login and MD5

Hi,
when a user login, the input type="text" get the password and send it thru POST, so the password is not viewable in the URl, but if a person use a sniffer can grab the password...what about using a MD5 client side javascript (like vbulletin does http://www.vbulletin.com/forum/clientscript/vbulletin_md5.js )?

If you're parinoid enough to worry about sniffing, then you should be using SSL to protect your entire site.

Haha agreed; anyone can sniff messages; heck till recently AIM could be sniffed, it still can for those users don't want to spend $15 a year for an SSL cert for AIM :x...

when a user come back to the forum, the md5 hash is taken from the cookie, right? and then the ubb script have to hash the plain text password contained in the user file and compare, right? or the md5 hash is already written in the user file too?

Right now, the plain text password is hashed and compared to the cookie. I would wager that eventually, there will be md5 server side also ( mentioned here ).

CC wrote:
Sure, why not?

cp2_editprofile.pl... find the line reading:

# Password viewing removed entirely per 6/13 meeting

Uncomment the next 7 lines or so. There's your viewable password.

Unfortunately, that will break entirely when we switch to encrypted passwords in the future.... you'll see something akin to "__MD5:abcdef1234567890abcdef1234567890" instead of the password you were expecting.


so in the future all the password will be in md5?

I think this is a good idea..every time ubb request a cookie has to calculate an md5 hash...

comparing the md5 hash (created with a javascript by the client) and the md5 hash stored in the user profile should be better for ubb performance...

Actually, when the switch occurs, the method of storing the authentication token will also change, which will still require some MD5 calculations. Sorry to disappoint.

Well, when can we expect this? UBB 6.9? I say that since, from what I hear, 6.8 will be mainly coding fixes and rewrites.

I hope not...

Gizzy, where did you hear this? The only thing I've heard from CC is that he can't tell us anything

I don't recall hearing any announcements about what 6.8 will entail yet

/me whistles and walks away innocently

you better run fast before cc catches you or he will lock you down in PHP hell

*rains down 40-character-long PHP functions upon Gizzy*

There's nothing wrong with PHP. You just have to have the proper level of insanity to use it

/me is in PHP hell; send help...

I use PHP, should show you that I'm indeed insane ...