MD5 in Javascript
20th April 2003
One of the things that has always bugged me about creating login forms for web based applications is that the password is passed in clear text when the user logs in. Even if you then set a session cookie of some sort for future access the password has stilled been transmitted unencrypted at least once.
The obvious way around this is to use https, but for the vast majority of sites this isn’t an option. Enter Javascript MD5—an implementation of the cryptographically secure MD5 hashing function in Javascript. This can be used to build a CHAP login system where the client sends the MD5 of the password appended on to a challenge string, which the server can then recalculate and compare (all without the password being transmitted from client to server).
The author links to implementations of this idea in various languages, and implementing it from scratch in PHP is quite trivial. With a bit of care the system can be set up so that browsers with no javascript support submit the password normally, while those with javascript send only the hash.
A modified version of the system is used by Yahoo’s Login Page, so it is certainly feasible for deployment in a commercial environment. Obviously an https encrypted session is far more secure, but for non-ecommerce web applications this technique is a no-brainer.
More recent articles
- Qwen2.5-Coder-32B is an LLM that can code well that runs on my Mac - 12th November 2024
- Visualizing local election results with Datasette, Observable and MapLibre GL - 9th November 2024
- Project: VERDAD - tracking misinformation in radio broadcasts using Gemini 1.5 - 7th November 2024