|
MD5 Hashed Login Passwords
Last
updated June 8, 2002
MD5
Hashed Login Passwords
So you are writing a Java Servlet and you want to validate your user with a
password but you don't want to send your password back to the server
in the clear. My solution is to use MD5 hashes. If you have a solution using
strong encryption that is compatible with both Javascript (on the client site)
and in Java (on the server side) please let me know -- I would greatly prefer
to use encryption! It would solve the outstanding problem of creating new users
and changing passwords.
I have created a sample Java Servlet "application" (see below for
the download) to demonstrate using MD5 hashes to help control login.
Basically what I do is this:
On
the user's form I have two visible form inputs, username and password, and
two hidden form inputs, sessionid and response. I set sessionid to the request
session id (request.getSession(true).getID()).
When
the user requests to submit the form I run a Javascript function that does
the following
- Save the password
to a local variable
- Erase the password
or replace it with some number of "x"'s
- Concatenate
together the username, the specified password, and the session id
- Fill in the
hidden form variable with the MD5 hash of the string I created in the previous
step
- Post the form
Now, the form will
return posted to the server. On the server I create a hash from the same pieces
(the username comes from the posted form, use the server's copy of the session
id, and the password comes from the database) and compare the hash created
on the server with the hash sent by the browser.
The Javascript
MD5 hash function is readily available and the Java MD5 class is readily available
although I have modified the Java class, adding a static function that takes
a String and returns a String (simplifying the coding).
The only outstanding
issue is how to get the password to the server in the first place, so we have
a password to verify against. I can't provide any real solutions to this problem
but can make some suggestions. The "new user" and "change password"
feature can be done via SSL pages, in the clear, over the phone, via a different
band (such as email). You just need to figure out what you are willing to
accept.
If you have questions about the Java MD5 class or the JavaScript MD5 function
please contact the respective authors (they are mentioned in the respective
source code).
In the logintest.zip distributaion I have included a readme.txt file which
outlines most everything you might need to know about how to install this Java
Servlet "application" and briefly discusses some details. Contact
me if you have other specific questions, but, I cannot help you setup your
server, etc. -- contact your vendor.
Download logintest.zip (21k)
This was created on a Windows box, sorry if you cannot handle this "zip"
file but this is how I am distributing. There are unzip programs for every platform.
|
