Security of Pun's authentification (Page 1 of 3)

Connorhd
Simply, we decided to greatly improve it .....so  I ask You ....is it really needed to improve it?...what can we improve and how

We could always use javascript for MD5ing passwords before they're sent. Of course, this requires around 6k more javascript, but it's quite effective.

No, have a field that if javascript is enabled, change so that the PHP knows whether to use it or not.

vBulletin 3.0

Just sending over the md5 is bad, you should use a MD5 challenge handshake system.  I had written an implementation in JS a while back.  I'm pretty sure Yahoo mail uses this method also.  If you need some help w/ this email me.

Connor, it's not a fix. It's just an idea. Or possibly a feature.

Just because someone suggests something doesn't mean it's fixing something. It's a request to improve the current design. Don't take it personally.

EDIT: I'd love to hear Rickard's opinion. After all, it's his software

With a challenge handshake there is more involt than only a MD5. So in theory it is saver then just clear text passwd.

But why this discussion ???. So far the bugs that rise to the surface are sql-injection aan XSS related. So far the protection scheme is working like it should ??

But then again I haven't really reviewed the authentication code yet.

I didn't mean you with it. It was more a question for the topicstarter.

Your handshake idea sounds good. But it relies on Javascript which is not allways enabled and support can vary by  browser.

If the TS wants better protection then first make sure your using SHA1 instead of MD5 if not allready.

thx for the url . good to know. Well im off changing the protection schemes

What do you think about  to make over Pun's authentification  on  sessions ?

What? That doesn't make sense to me. It's easier to crack... but more effective.

EDIT: Oh, and sorry about posting something that has been posted before.