I want to create a secure login, so I want to encrypt the password before I send it as POST parameter. I am doing it with a SHA1 javascript function.
Then I realize that if someone intercepts the encrypted password, he can use it right away. Sending it as a post parameter the same URL.
How can I be sure that the password comes from the login input field? Maybe with a PHP session? I don't want to use secure http yet. Anyone has a simple alternative?
How can I be sure that the password comes from the login input field?
You can't.
The closest thing to that is the usual defences against CSRF … but that will only stop people tricking users into submitting data from their site to your site. It won't protect passwords.
I don't want to use secure http yet. Anyone has a simple alternative?
HTTPS is the simple option.
The only thing that might help you is to create temporary salt for each session, then, encrypt the password on client side, then, decrypting the password using same salt that saved in server-side, the approach is like a unique token that used for preventing CRSF because even man-in-the-middle captured the password s/he cant decrypt it.
Finally, you need to create another (different algorithm) for saving the password on database, the conceptual idea above is for securing password between client-and-server.
explanation:
Client -> Request -> Server
Server -> Response (sending unique salt o be used with JavaScript like session_id()) -> client
Client -> JavaScript Execution -> Encrypting Password using unique salt
Client -> POST -> server
Server -> decrypting the password with saved salt -> extract the password
I hope some one to correct me if above idea is wrong!
NOTE: AES can be used for both JS and PHP
Salt = Key
Available Tools:
Sending the SHA1 password over the net to your server effectively makes the SHA1 hash the real password.
Besides having no advantage, you are actually making your security worse; If I steal your database with SHA1 hashes, I can now login using those directly without even having to brute force the hashes to get the 'real' password.
HTTPS is the only real way to secure the password from being send in plain text. And while you transfer over to HTTPS, make sure you change those SHA1 hashes over to bcrypt.
If you are worried about the extra SSL Cert costs, you can also generate a self-signed certificate, if you are not worried about browser errors or are willing to add the certificate to the trusted list (http://resources.arcgis.com/en/help/main/10.1/index.html#//0154000005q6000000).
Please do the world and all of your customers a favor and CONTINUE to encrypt the password before sending it across an non-encrypted HTTP.
There are two sides to this problem and in this case the two sides are yourself and the customer of which you serve. Most people use the same passwords for many sites unfortunately, the fact is we do not have memory capacity to handle matching hundreds of sites we log into with hundreds of passwords, we as end users choose two or three and move on with our lives. You are most certainly doing wrong if you send your customers passwords over HTTP without encrypting them first and there is in fact something to be gained. Trust with your customers that their passwords, probably the same as what they log into a bank with, do not fall into the hands of hacks OR even more importantly the hands of anyone associated with development of the website because, mischievous IT employees do exist and it is very easy to capture those passwords as they are sent to your application for processing on the server side...
I would hate to think how many web developers read this article and decide against encryption on the client side, that should be one of the first things we do, it is protection for the users, not yourself... Protecting your database can be done with a multitude of procedures and every security analyst has their opinion of what to or not to do, hashed-salted-spunked-dangled-whatever. client side encryption should not be debated.
