How to send password securely via HTTP using Javascript in absence of HTTPS?

by

There is no way to send a password securely that the user can verify without SSL.

Sure, you can write some JavaScript that will make a password secure for over-the-wire transmission through hashing or public-key-encryption. But how can the user be sure that the JavaScript itself has not been tampered with by a man-in-the-middle before it reached them, to send the password to an attacker instead of the site, or even just compromise the security of the algorithm? The only way would be for them to be expert programmers and have them inspect every line of your page and script to ensure it was kosher before typing the password. That is not a realistic scenario.

If you want passwords to be safe from man-in-the-middle attacks, you must buy an SSL cert. There is no other way. Get used to it.

If I use MD5, one can reverse that password string.

No… not trivially at least. Whilst MD5 has attacks against it, it’s a hashing algorithm and thus unreversable. You would have to brute-force it.

But again, a man-in-the-middle attacker doesn’t need to look at your MD5s. He can simply sabotage the JavaScript you send the user to make the MD5s.

More Related Contents:

  1. Non-random salt for password hashes
  2. Fundamental difference between Hashing and Encryption algorithms
  3. How to redirect all HTTP requests to HTTPS
  4. Difference between Hashing a Password and Encrypting it
  5. Are HTTP cookies port specific?
  6. Is “double hashing” a password less secure than just hashing it once?
  7. How can bcrypt have built-in salts?
  8. SHA512 vs. Blowfish and Bcrypt [closed]
  9. The necessity of hiding the salt for a hash
  10. Where do you store your salt strings?
  11. Password hashing, salt and storage of hashed values
  12. What algorithm should I use to hash passwords into my database? [duplicate]
  13. Best Practices: Salting & peppering passwords?
  14. Is it safe to put a jwt into the url as a query parameter of a GET request?
  15. Why do salts make dictionary attacks ‘impossible’?
  16. md5 decoding. How they do it?
  17. Is HTTP header Referer sent when going to a http page from a https page?
  18. Is it OK to return a HTTP 401 for a non existent resource instead of 404 to prevent information disclosure?
  19. How to redirect all HTTP requests to HTTPS using .htaccess rules?
  20. Why not use MD5 for password hashing?
  21. WS on HTTP vs WSS on HTTPS
  22. How can I hash passwords in postgresql?
  23. What is the clash rate for md5? [closed]
  24. Do I need a “random salt” once per password or only once per database?
  25. What is the best way to implement “remember me” for a website? [closed]
  26. How do you protect your software from illegal distribution? [closed]
  27. Stopping users voting multiple times on a website
  28. IIS7, web.config to allow only static file handler in directory /uploads of website
  29. How to do stateless (session-less) & cookie-less authentication?
  30. Is there a way to force apache to return 404 instead of 403?

Leave a Comment