-1

I have a small login form, I will send the name and password via GET, but I don't want to put the password in a url in plain text. Can I Md5 it after pressing submit button, but before sending it via GET?

Sirius_Black
  • 471
  • 3
  • 11
  • m not sure if this would help you but you can use before submit method using jquery to do something. –  May 04 '14 at 02:32
  • 2
    MD5 is broken, **don't use it** for anything security-related. And if you want to protect against MITM attacks that can intercept the password then use SSL. –  May 04 '14 at 02:33
  • alternatively .. you can encrypt if after you get it. –  May 04 '14 at 02:41
  • I just want to protect from people around the computer to see the password in the url –  May 04 '14 at 02:41
  • but if you really want to encrypt it, you should never use get method. just because of security reasons. Use POST method instead. –  May 04 '14 at 02:41
  • post method will have no limit of characters unlike get method and it also wont show in url. –  May 04 '14 at 02:42
  • As @André said, MD5 is broken. You're better off using no encryption at all if you do use it. You should check out the `password_hash` function – Idris May 04 '14 at 03:01
  • 3
    Keep in mind that simply hashing the password in the URL does not make your application any more secure, because it makes the hash equivalent to the password! An attacker that could previously sniff the password from the network can now just sniff the password hash, and that's still the only thing they need to know. **Use SSL** if this is a concern. –  May 04 '14 at 03:16

1 Answers1

5

You should not use md5 for hashing passwords.

If you want to learn to hash your user password safely then have a good read of How do you use bcrypt for hashing passwords in PHP? and Secure hash and salt for PHP passwords .

I will send the name and password via GET

Never use GET for login in, yes it shows in the url but also it shows the GET parameters in the server request log.

I just want to hide the characters from people around the user computer.

Using the form input type type="password" will solve that issue. But there is also the issue of Man-In-The-Middle attacks whereas an attacker can inject themselves into the packet routing mechanism and capture & record then re-route every packet between hops, capturing POST, GET ect parameters. So you should at least use SSL to encrypt the connection packets between point A and point B if your serious about securing your users/site from an easy hack.

But to answer your question here is what you asked(ish) o_O, your need to use javascript to process the form before its POSTed, but it obviously wont work if javascript is off:

<?php echo '<pre>'.print_r($_POST,true).'</pre>';?>
<script type="text/javascript"
    src="http://github.com/kvz/phpjs/raw/master/functions/xml/utf8_encode.js"></script>
<script type="text/javascript"
    src="http://github.com/kvz/phpjs/raw/master/functions/strings/md5.js"></script>

<script type="text/javascript">
<!--
function pwd_handler(form)
{
        if (form.password.value != '')
        {
            form.md5password.value = md5(form.password.value);
            form.password.value = '';
        }
}
//-->
</script>

<form action="" method="post" onsubmit="pwd_handler(this);">
    <input type="text" name="username" />
    <input type="password" name="password" />
    <input type="hidden" name="md5password" value="" />
    <input type="submit" value="Log in" />
</form>
Community
  • 1
  • 1
Lawrence Cherone
  • 46,049
  • 7
  • 62
  • 106
  • Actually you can use MD5 for passwords, if you do it wisely. It's been proven that by adding a salt to MD5 it makes the encryption strong enough for most use cases. – transilvlad May 04 '14 at 03:33
  • @tntu Not even worth the risk when there is proven cryptographically superior hashing algorithms, besides md5 was never meant for hashing passwords, its for checking data integrity. If you were to take the risk you would still need to salt the password and store it, which then you might as well use the slightly better but still insecure sha1 for entropy, or just do it properly. my2cent – Lawrence Cherone May 04 '14 at 03:44
  • Good point, but then again, if you only use it for data transfer like he wants it is good enough. Though I would have just wrote my own algorithm in his case but he does not know how. What he does once the password gets to the server is another story. – transilvlad May 04 '14 at 03:48
  • @tntu: never write your own hashing or security algorithms. You won't do it right. If you happen to be a security professional with a strong mathematical background, then I apologize in advance. – siride May 04 '14 at 05:18