How to use MD5 in javascript to transmit a password

Question

I have a jquery dialog modal box pop up for logging into my website. When a user clicks login it does a post request to a login.php file as follows:

$.post( 'includes/login.php', { user: username, pass: password }, onLogin, 'json' );

How do I do an md5 on that password before putting it in the post request? Also, I have the user's passwords stored in a MySQL database using MD5(), so I would like to just compare the stored version of the password with the MD5 of the password submitted. Thanks to anyone that replies.

I do have SSL enabled, but I'd like to have the password encrypted within the encrypted http header. — adhanlon
– adhanlon, Commented Mar 31, 2010 at 18:33
@Silmaril89, MD5 is not encryption and is a not advised for storing passwords. — km1
– km1, Commented Aug 16, 2012 at 19:18
Not only it is better using SSL to secure the connection, hashing the password before sending it is completely useless, as explained by jt in his answer. This question being upvoted is bad because it misguides people into thinking that this is actually secure. — Pablo
– Pablo, Commented Dec 3, 2012 at 11:15

Shaharyar · Accepted Answer · 2015-02-27 07:11:03Z

31

crypto-js is a rich javascript library containing many cryptography algorithms.

All you have to do is just call CryptoJS.MD5(password)

$.post( 'includes/login.php', { user: username, pass: CryptoJS.MD5(password) }, onLogin, 'json' );

edited Feb 27, 2015 at 7:11

Shaharyar

12.5k4 gold badges50 silver badges70 bronze badges

answered Dec 26, 2009 at 0:24

James Skidmore

50.4k33 gold badges112 silver badges137 bronze badges

Sign up to request clarification or add additional context in comments.

4 Comments

Rob Over a year ago

This plugin is no longer available for some reason. There is a version here: richardpeacock.com/dev/files/jquery.md5.js.txt

QuantumRob Over a year ago

You should probably use the much more standard code.google.com/p/crypto-js crypto-js and include the JS's for the crypto you need.

Kev Over a year ago

I think this answer needs some love care and attention given that the linked plugin appears to be unavailable now.

Siddhartha Over a year ago

This is no longer hosted on that CDN. I spent an hour wondering what's going on before realizing this. Ended up getting the zip from here, then using the sha1.js from rollups (which are self-sufficient)

jt. · Accepted Answer · 2010-02-09 01:18:42Z

28

If someone is sniffing your plain-text HTTP traffic (or cache/cookies) for passwords just turning the password into a hash won't help - The hash password can be "replayed" just as well as plain-text. The client would need to hash the password with something somewhat random (like the date and time) See the section on "AUTH CRAM-MD5" here: http://www.fehcom.de/qmail/smtpauth.html

answered Feb 9, 2010 at 1:18

jt.

2812 silver badges2 bronze badges

5 Comments

malthe Over a year ago

It is secure if using SSL and the question does not say that it is not.

Motomotes Over a year ago

@malthe Basic auth is secure using SSL

malthe Over a year ago

@Motes, it could be argued that the point of the question is to never see the plain text password, hence the use of (presumably salted) md5 on the client side. If using SSL then replay attacks are impossible from just sniffing the traffic.

Motomotes Over a year ago

@malthe A server nonce and client nonce unique to each authorization would just as well defeat sniffing, like digest authentication.

Motomotes Over a year ago

@malthe, and of course using SSL basic auth doesn't transmit the passwords in plain text, they are encrypted by the SSL cert, but if you mean the server shouldn't store the passwords as plaintext that is probably true, but then the only real security increase can come from having a private key somewhere. The server should encrypt the passwords with a never stored server startup password, as storing them using a MD5 with a persistent salt or nonce would still leave the server open to collision attacks. For real security something somewhere needs to be trusted to be unknown by the enemy.

theCodeMachine · Accepted Answer · 2012-12-03 13:05:02Z

I would suggest you to use CryptoJS in this case.

Basically CryptoJS is a growing collection of standard and secure cryptographic algorithms implemented in JavaScript using best practices and patterns. They are fast, and they have a consistent and simple interface.

So In case you want calculate hash(MD5) of your password string then do as follows :

<script src="http://crypto-js.googlecode.com/svn/tags/3.0.2/build/rollups/md5.js"></script> <script> var passhash = CryptoJS.MD5(password).toString(); $.post( 'includes/login.php', { user: username, pass: passhash }, onLogin, 'json' ); </script>

So this script will post hash of your password string to the server.

For further info and support on other hash calculating algorithms you can visit at:

http://code.google.com/p/crypto-js/

Thanks for this answer ... for those how are looking for encryption/decryption between JavaScript and c#/VB.NET for javascript recommended is this answer and you may also want to look at this msdn.microsoft.com/en-us/library/… for c#

SapphireSun · Accepted Answer · 2009-12-26 00:23:28Z

4

You might want to check out this page: http://pajhome.org.uk/crypt/md5/

However, if protecting the password is important, you should really be using something like SHA256 (MD5 is not cryptographically secure iirc). Even more, you might want to consider using TLS and getting a cert so you can use https.

answered Dec 26, 2009 at 0:23

SapphireSun

9,43811 gold badges51 silver badges61 bronze badges

2 Comments

adhanlon Over a year ago

Thanks for the reply, I am using https for my website, but for some reason apache uses encryption when transmitting the page, but after the page has loaded it still uses https, but the page is not encrypted. Do you think it will still encrypt the the login info when it's submitted?

SapphireSun Over a year ago

I'm not an expert, but you can try packet sniffing a test machine to see if it's encrypted or not.

James · Accepted Answer · 2012-02-13 19:13:15Z

In response to jt. You are correct, the HTML with just the password is susceptible to the Man in the middle attack. However, you can seed it with a GUID from the server ...

$.post( 'includes/login.php', { user: username, pass: $.md5(password + GUID) }, onLogin, 'json' );

This would defeat the Man-In-The middle ... in that the server would generate a new GUID for each attempt.

yes, this is a good idea. This sort of challenge/response approach is also covered in pajhome.org.uk/crypt/md5/auth.html

fritz fritz Fritz · Accepted Answer · 2018-03-31 14:57:08Z

if you're using php jquery, this might help:

 $.ajax({ url:'phpmd5file.php', data:{'mypassword',mypassword}, dataType:"json", method:"POST", success:function(mymd5password){ alert(mymd5password); } });

on your phpmd5.php file:

echo json_encode($_POST["mypassword"]);

no jsplugins needed. just use ajax and let php md5() do the job.

Collectives™ on Stack Overflow

How to use MD5 in javascript to transmit a password

6 Answers 6

4 Comments

5 Comments

1 Comment

2 Comments

1 Comment

Comments

Linked

Hot Network Questions

Collectives™ on Stack Overflow

6 Answers 6

4 Comments

5 Comments

1 Comment

2 Comments

1 Comment

Comments

Linked

Related