2

I am using a form with user and password fields in that I need to encrypt the password before sending the form to the server for validation. For that I am using md5.js for encryption on client side using the salt information.

test.php

<script LANGUAGE="Javascript" SRC="js/md5.js"></script> <script> function encryptPwd1(strPwd, strSalt, strit) { var strNewSalt = new String(strSalt); if (strPwd == "" || strSalt == "") { return null; } var strEncPwd; var strPwdHash = MD5(strPwd); var strMerged = strNewSalt + strPwdHash; var strMerged1 = MD5(strMerged); return strMerged1; } function validateForm(strSalt, strit) { var strEncPwd = new String(encryptPwd1(document.getElementById("password").value, strSalt, strit)); document.getElementById("password").value = strEncPwd; document.login.submit(); return true; } </script> <form method="post" action="test1.php"> <input type="hidden" name="salt" id="salt" value="8qadr4xnCPW275BaNpYX"> <label class="login">Password:</label> <input name="password" id="password" type="password" /> <input type="submit" name="gos" id="gos" value="Login" onClick="return validateForm('8qadr4xnCPW275BaNpYX','38');"> </form>

This is the form which contains the client encryption using JavaScript and md5.js. I can successfully encrypt the message and send it to test1.php in that test1.php. I don't know how to decrypt the text please help me.

Improve this question
14
  • 1
    What you are talking about here is hashing, not encryption. Hashing is not meant to be reversible (even though MD5 is very insecure and it's possible to reverse it). You should be rehashing on the server side and comparing with the JS hash rather than trying to reverse it. Commented Jul 11, 2014 at 0:53
  • Why don't you simply use md5 to decrypt it instead trying to reverse it or created md5 decryption Commented Jul 11, 2014 at 0:58
  • @orciny can any one guide me how to do that please. or any examples Commented Jul 11, 2014 at 1:01
  • Take a look at the PHP MD5 functions. php.net/manual/en/function.md5.php Although these days, they're not considered strong enough to hash passwords with. You should maybe look into a stronger algorithm using password_hash: au2.php.net/manual/en/function.password-hash.php Commented Jul 11, 2014 at 1:07
  • @orciny this never shows how to do with client side give me an example so that i cant study well or tell how to decrypt the in test1.php Commented Jul 11, 2014 at 1:11

3 Answers 3

Reset to default
3

Hang on a minute here.

This is just a bad idea (I can think of other adjectives here but will limit myself to BAD).

Anybody can read your page source with any browser, so what do I see if I do that....

  1. I now know that you are using MD5 to hash your passwords on your database (let's ignore how bad MD5 is for now)
  2. And lo and behold I also know the SALT that you are using!

Why not just give me your bank account number and PIN code, and for good measure the keys to your house and car!

I assume you don't have a boat or you would have drowned by now!

Don't try and do this in the browser, the only secure way is to use SSL.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

i am just doing this for learning purpose can any one teach me how?
But my point is there is nothing to learn from what you are doing other than it is a very bad idea and has no place in any system.
2

You want to protect the plain text password from a "man in the middle", which is listening the network traffic. Unfortunately it is not possible to prevent this with client-side java-script, because the attacker can see the sent java-script as well and would also be able to simply remove this script from the request.

The only reliable way to protect the transfer of the password is using HTTPS with SSL encryption. This also only works because a secret is already shared (the certificates installed within your browser).

Client-side hashing can have it's purpose as well, but never replaces server-side hashing. You can transfer CPU power used for hashing to the client. On the server side you would have to hash again, but with fewer rounds.

Improve this answer

Comments

1

Password encryption is needed because of password trace will be stored in browser memory on your computer when you make submission. If a hacker get access to your computer, with a widely available tool, your stored data will be exposed.

The remedy for that is to make it harder for the hacker to get hold of your password...

There are two things to remember: 1) submit via form 2) submit via ajax

In both cased it is important that you control the character encoding of your submission and make sure your server character encoding is in synch with your application web page.

If you do not control the encoding, then your ajax call may end up with different set of encoding than your submission via form and hence your decoding will not be easy.

Once you have them under control then use code in what ever language you want to decode... however, you need to keep a reference of salt and stringit on server side.. and you need to randomly generate different set of strings on each page you provide for users.

one way to do it is by including them in form as hidden inputs.. but you need to remove the inputs on the fly from the form right before you allow the form to proceed with submission.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.