#7 secure passwords in new_user_md5.php3


reposted from mailing list

Note: this deficiency is documented in the code.

At 3:28 PM -0700 16/8/00, Torrey Hoffman wrote:

>Hello. I'm using phplib 7.2b, with the md5 based
>authentication system. (Challenge_Crypt_Auth).
>I have a concern about password security for
administrators adding users, or
>changing user passwords.
>First, some background, as I understand it:
>The MD5 challenge-response authentication system is
reasonably secure, even
>over insecure networks, as it never sends passwords in
the clear. It works
>by using the JavaScript implementation of MD5 on the
client to compute:
>MD5("$username:$pass:$challenge"), where $pass is
actually the md5 hash of
>the plaintext password.
>Both the client and the server can compute this value,
allowing the server
>to authenticate the client. Since the $challenge is
different for every
>session, an eavesdropper (packet sniffer) cannot gain
any useful knowledge
>of the password, even though they can see the
$username and $challenge.
>So all is well for authentication.
>But when adding a new user, the
"\pages\admin\new_user_md5.php3" sample code
>ends up passing the just md5(plaintext-password) over
the network. If an
>attacker grabs that information, then they can easily
>md5("$username:$pass:$challenge) and falsify their
authentication. As I see
>it, there is no extra security in sending the MD5 hash
of the plaintext
>password when changing or setting passwords - you
might as well just send
>the plaintext password.
>I can't figure out an easy way to fix this without
going with the full
>Diffie-Hellman key exchange protocol. (See
However, I am not a
>cryptography expert.
>So my questions are:
>1. Is there a secure way to set Challenge_Crypt_Auth
MD5 passwords over the
>2. If so, has it been implemented somewhere with free
>3. If not, is there some fundamental reason? Is this
is hard to do with
>JavaScript on the client and PHP on the server?
>3. Is this weakness in the PHPLIB sample code documented?
>Thanks very much for any help or advice you can give.
>PS: Huge thanks to the authors of PHPLIB for writing
such an amazingly
>useful piece of code.


Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.

No, thanks