I'm storing my passwords on a server, and, using nothing but HTML/JavaScript, I need to be able to take an input password, pute the hash, then pare against what's in my database via Ajax.
As I'm using CouchDB, there's actually no server code, which is where I'd normally do such a calculation.
Any kind of one way encryption would work. I saw an old plugin that appears unsupported for an earlier version of jQuery. As 1.3 and 1.2 seem to be mostly inpatible from my experience, I wonder if there's any new solution to this problem for the latest version of jQuery, or even just plain old JavaScript.
Thanks!
I'm storing my passwords on a server, and, using nothing but HTML/JavaScript, I need to be able to take an input password, pute the hash, then pare against what's in my database via Ajax.
As I'm using CouchDB, there's actually no server code, which is where I'd normally do such a calculation.
Any kind of one way encryption would work. I saw an old plugin that appears unsupported for an earlier version of jQuery. As 1.3 and 1.2 seem to be mostly inpatible from my experience, I wonder if there's any new solution to this problem for the latest version of jQuery, or even just plain old JavaScript.
Thanks!
Share Improve this question edited Aug 24, 2009 at 18:34 Abie 10.8k6 gold badges34 silver badges39 bronze badges asked Aug 24, 2009 at 18:18 FilmJFilmJ 2,0213 gold badges19 silver badges28 bronze badges 3- 4 Just a word of caution: when you said password it sounded like you may be doing some sort of authentication using javascript. I'm not certain if this is the case but if it is I strongly urge you to reconsider. Client side javascript can easily be manipulated, in fact one tool called Greasemonkey for Firefox makes this task extremely simple. If you are using javascript to keep people from a protected area or resource, you will find that it really isn't up to the task. – apiguy Commented Aug 24, 2009 at 18:29
- 1 Please note: The MD5 algorithm does not do encryption, it does hashing. From your question it sounds like you know the difference, but it’s important to use precise terminology when talking about security-related issues. – Nate Commented Aug 24, 2009 at 18:34
- It's for a demo only... so not concerned about authentication issues - in production, i will likely authenticate through a custom couch authentication plugin (or wait for cookie based authentication to be released), but for now just needed a simple way to talk to the existing database. – FilmJ Commented Aug 24, 2009 at 18:51
4 Answers
Reset to default 4Why are you looking for a jQuery plugin? There are multiple implementations of MD5 and SHA1 available in JavaScript that turn any string into a hash string and that can easily be used with jQuery.
Here is the first Google result for "JavaScript sha1":
http://www.webtoolkit.info/javascript-sha1.html
I highly remend you read "Enough With The Rainbow Tables: What You Need To Know About Secure Password Schemes" by Thomas Ptacek. Here's the link to the wayback machine (if markdown will stop eating it):
http://web.archive/web/20071228050037/http://www.matasano./log/958/enough-with-the-rainbow-tables-what-you-need-to-know-about-secure-password-schemes/
The first thing that jumps out as applicable to your scenario: md5 is horribly broken.
There are other goodies in there, and I can't do the source material justice, so please read the whole thing.
UPDATE: Googling around seems to indicate it's possible to tie in HTTP Authentication to your CouchDB application using Apache. I'd remend using that over rolling your own authentication protocol that relies on client-side hashing of the password.
If you want MD5 rather than SHA1, this one works pretty well:
http://pajhome.uk/crypt/md5
You could also check my md5 implementation.