The use of client side password hashing in web application (such as http://pajhome.org.uk/crypt/md5/) may be on the rise. At least it appears that way to me as I have seen several deployments lately.
These hashing libraries usually promises to keep a user's password secure in non ssl environments.
One could argue that they perform the intended task. The problem with http traffic compared to https is that the traffic is obtainable by anyone else connected to the same network as the user (or the server). If an attacker obtains the hashed password string he or she can provide the hash to the server to authenticate as the user without knowing the users actual password.
This does mean that the user's plaintext password is safe until the hacker breaks it so for users who use the same password everywhere, there is a marginal protection when websites use hashed passwords. It's still a far cry from the relative security of submitting sensitive data over a SSL encrypted connection.
The March addition to Jason is iterate.pl, a script which iterates numeric values in passwords.
You can grab a copy from the github project page: https://github.com/wireghoul/Jason
These hashing libraries usually promises to keep a user's password secure in non ssl environments.
One could argue that they perform the intended task. The problem with http traffic compared to https is that the traffic is obtainable by anyone else connected to the same network as the user (or the server). If an attacker obtains the hashed password string he or she can provide the hash to the server to authenticate as the user without knowing the users actual password.
This does mean that the user's plaintext password is safe until the hacker breaks it so for users who use the same password everywhere, there is a marginal protection when websites use hashed passwords. It's still a far cry from the relative security of submitting sensitive data over a SSL encrypted connection.
The March addition to Jason is iterate.pl, a script which iterates numeric values in passwords.
~/Jason$ ./iterate.pl password1 password1 password0 password2 password3 password4 password5 password6 password7 password8 password9
You can grab a copy from the github project page: https://github.com/wireghoul/Jason
