The password is hashed with a nonce (a random, one use, string called
challenge). Here's the javascript straight from the login page:
var passwd = form.passwd.value;
var hash1 = MD5(form.passwd.value);
var challenge = form[".challenge"].value;
var hash2 = MD5(form.passwd.value) + challenge;
var hash;
if(form.passwd.value){
hash=MD5(hash2);
} else {
hash="";
}
And the challenge is quite long,
<input type=hidden name=".challenge"
value="zpUHXfMLl._2u4tfNw8fBdAKYtkM" >
Thus even if you can watch the traffic both ways you can only break the
password by doing some kind of brute force dictionary search. That
would probably show up a few insecure passwords (if you have a largish
company), but that's not really the fault of the login procedure.
> My other question is if the passwords are encrypted why do they offer a secure login
> option? How does that increase security, other than adding a brief ssl session.
Because it encrypts your username too? Honestly I don't know. Most
browsers apply stricter security to secure pages, ie they won't be
cached locally etc... That could be it. The passwords coulnd't be brute
forced locally either.
- Blazde
This archive was generated by hypermail 2b30 : Tue Aug 27 2002 - 20:49:21 PDT