I am new to html and the different codes. I have put together a few basic web sites and now I am branching out. I was told that javascript is one of the easier codes to learn so I started there. I have learn rollover scripts and other similar. My question is this:

I was looking into making some pages private. I have downloaded and played with several different javascript password scripts, but the more I read and surf the more I hear how unsecure they are. At the same time no one tells me how they are insecure.

Maybe I'm being anal here but I want to know. How is javascript password protections insecure. I am not talking about the scripts that have the passwords in the source for plain sight. I am hoping in learning this I can learn more about the code and how it works with the browser.

Thanks

Welcome to the forums.Originally posted by redragon
I was told that javascript is one of the easier codes to learn so I started there.While JavaScript may be easier than some of the more strict language (e.g., Java, C++, etc.), it is by no means easy. It does make things easier because of the fact that it is not a strongly typed language, but JavaScript's difficulty lies in what you're trying to do with it — if you're trying to something easy, it's easy; if you're trying to do something hard, it's hard. I think you get the idea.Originally posted by redragon
I read and surf the more I hear how unsecure they are.You are correct but to an extent. When created incorrectly, they are definitely insecure as the login information is just a View » Source away.Originally posted by redragon
At the same time no one tells me how they are insecure. It's because the data in which is used to login is not obfuscated in any such way and thus is clearly available to anyone who knows how to use the browser's View » Source feature.Originally posted by redragon
How is javascript password protections insecure.As mentioned previously, it's because the information needed to login can be easily obtained.Originally posted by redragon
I am not talking about the scripts that have the passwords in the source for plain sight.Then what exactly are you talking about? If you were not referring to that kind of script, which kind were you referring to?

The most secure client-side password protection is possible using something called MD5 or SHA-1 hashes (or making the password the name of the page). If you do a search here, you'll probably find code examples from myself or Jeff. If you cannot find these threads, please feel free to ask and I will reference you to one.

I know i have said this heaps. But i think that if you want password protection then javaScript is not the best way to go about it.. These sorts of applications should be left to server-side programming.

Anyhow, there is no such thing as an easy programming language..


Maybe I'm being anal here but I want to know.


What?

Originally posted by buntine
These sorts of applications should be left to server-side programming.Agreed; but, when not available, you must go about other ways of doing it.Originally posted by buntine
What? That's basically just another way of saying "maybe I'm overreacting here but I don't know".

Thanks, this looks like a very knowledgable site.

I have joined a few others looking for answers, but I have to say, none have ever answered so quickly or thoroughly. Thanks for that.

Here is an example of what I'm talking about. A member to another forum that I use to belong to told me that the closest thing to a secure javascript password was this.

"<SCRIPT>

var string = "encrypted password";
var webpage = "";
var nick = "var stumpy = prompt('Password:','');for (y=1; y<5; y++) {webpage += (string.indexOf(y)+1);}webpage += 5;if (stumpy==webpage){webpage = webpage + '.php';location.href=webpage;}else{location.href='incorectpasswordpage.php';}";

eval(nick);

</SCRIPT>"

But when he finished posting it he said that even this was insecure because he could save the page to his desktop, add some lines of code, and the password would be given to him. I thought he was some crazy highschool kid just running his mouth, but the more I read the more something like that seems possible. Is it? I mean can popping a password be that easy, even if it's encrypted?

Thanks for clearing that up.. Sounds a tad odd.

Yes, JS is the next best alternative. Though, you'd be crazy to host a web site on a server which didnt have support for any server-side languages.

I have never heard of a server which dint have atleast CGI/Perl.

Thanks fredmv. That's exactly what I meant about being anal.

Originally posted by redragon
I have to say, none have ever answered so quickly or thoroughly. Thanks for that.No problem whatsoever. That's what we're here for. :DOriginally posted by redragon
A member to another forum that I use to belong to told me that the closest thing to a secure javascript password was this.Whoever told you that is completely incorrect.Originally posted by redragon
But when he finished posting it he said that even this was insecure because he could save the page to his desktop, add some lines of code, and the password would be given to him.That isn't too far off because you actually could do something like that (e.g., alert the evaluated password, etc.). Since the password is generated within the code, and there is no truly secure hashing or encryption algorithms, the password can be accessed simply by printing back the value in which was generated.Originally posted by redragon
even if it's encrypted? That's the problem right there — it isn't. No kind of real encryption or hashing algorithm is implemented, and thus it simply isn't secure at all.

Originally posted by fredmv
No problem whatsoever. That's what we're here for. :DWhoever told you that is completely incorrect.That isn't too far off because you actually could do something like that (e.g., alert the evaludated password, etc.). Since the password is generated within the code, and there is no truly secure hashing or encryption algorithms, the password can be accessed simply by printing back the value in which was generated.That's the problem right there — it isn't. No kind of real encryption or hashing algorithm is implemented, and thus it simply isn't secure at all.

I hate to beat a dead horse but I want to know what you mean by that. what do you mean by printing back the value?

Thanks again by the way for this help. I really want to understand this.

No problem. What I mean basically is this. In the following piece of code (from your example):webpage = webpage + '.php';Since the "encrypted" password is in the variable webpage, all you should need to do is print this value out somehow using a simple method (e.g., alert, document.write, etc.).

That right there is why this method isn't secure. While newbies won't even think to view the source, and even if they do, will probably be baffled by the code if they do not know JavaScript, more experienced users will plow through something like this without a problem.

You also previously mentioned you have Perl available on your server — if you're truly serious about secure logins, you should really consider using server-side if you want it to work for everyone (since 13% of people do not have JavaScript-enabled browsers) and not have to worry about anyone obtaining the password.

However, I would imagine you want to do this for nothing more than to learn, because as you also previosly mentioned you are new to JavaScript and want to learn the language, which is of course a great idea, but you should never rely on JavaScript — for a site login, content generation or otherwise — simply because of the fact that not everyone will be able to use it.

Edited: Disregard about what I said about you having Perl available — I thought that was you saying that, but it was actually buntine.

I hate to be dense but your speaking above my head. The "alert" tag, I thought, simply threw up a window with a message you want to convay. I haven't gotten to the document.write tag. Can you walk me through these or if it's too much to post is there a web site that I can read more about this on?

Also when you said that you can enter in the password and .php and you get the page. I thought the eval(nick) was a serperate command that prevented that. Of course, I don't even have this code totally figured out so if that was off the wall pardon me.

Originally posted by redragon
I hate to be dense but your speaking above my head. The "alert" tagJust to be a little more technially correct, these are referred to as functions or methods; it's perfectly fine since I realize you're new to JavaScript and are probably still used to terminology resembling that of markup (XHTML, HTML, XML, etc.); I'm just pointing that out to avoid any possible confusion in the future.Originally posted by redragon
I thought, simply threw up a window with a message you want to convay.You are absolutely correct — that's what it does. In this case, that's all we need to to do. Since, as I previously mentioned, the password is not obfuscated by any means; it's just generated in a somewhat more confusing way as compared to the even less confusing ways (i.e., password hardcoded into source) to keep most people off of it.

What I was explaining earlier is basically done like this: well, all this code does is loop through a string and modify another string's value. Thus, since it keeps updating a variable with a new value, all you'd need to do is obtain the value of the variable that is as a result generated by the loop which is then used to redirect to a "protected" page.

Now, here it goes:webpage = webpage + '.php';This is the piece of code that proves the variable that is generated is, indeed, the name of the seemingly "protected" page. Now, as I've already said, to obtain the name of this page, all we'd need to do is use a method such as alert to print it out to us. In a slightly earlier piece of that code, there is something that looks like this:for (y=1; y<5; y++) {webpage += (string.indexOf(y)+1);}webpage += 5;Looks confusing, right? That's what the author of the script intended it to be — well, it's not — and moreover, you don't even need to understand how it works per se, just where the result of this code is going — and that's in the webpage variable. If you modify this code to look like this:for (y=1; y<5; y++)
{
webpage += (string.indexOf(y)+1);
}

webpage += 5;

alert(webpage);It becomes a little more readable, and even more so, it will allow us access to the so-called "password". This will yeild an alert with the string "00005" in it — the filename of the "protected" page. If you enter that as the password when the prompt dialog comes up, and the file indeed does exist, you should be brought to it.

And there's nothing more to it. It's merely a poorly thought out algorithm for creating a secure — but actually a very insecure — login with JavaScript. The method that Jeff introduced, using a SHA-1 hash, is virtually uncrackable; as Jeff has once said, even some of the world's best cryptographers have yet to crack it — your friends don't stand a chance. ;)

Ok, I think I'm understanding this better, but flame me if I draw this out too much. I think I'm understanding the process better.

So basically anyone had to do is to save the source to their desktop, add a line to make it look like this, and then double click the html file on their desktop and the password will pop up?

"<SCRIPT>

var string = "encrypted password";
var webpage = "";
var nick = "var stumpy = prompt('Password:','');
for (y=1; y<5; y++)
{
webpage += (string.indexOf(y)+1);
}
webpage += 5;
Alert (webpage);
if (stumpy==webpage){webpage = webpage + '.php';location.href=webpage;
}else{location.href='incorectpasswordpage.php';
}";

eval(nick);

</SCRIPT>"


So basically you are getting the formula to basically give you the answer before it compares it with your answer?

One more thing. If the answer is the "webpage + 'php'" the what does the "eval(nick)" do?

Hi!

A little "proof" for what fredmv has stated (even though his statements proove themselves :D):

<script language="JavaScript" type="text/javascript">
<!--
var getPass=new Array("0","0","0","0");
var string = "encrypted password";
var solution="";
for (var i = 0; i < string.length; i++){
if (string.substring(i,i+1)=="1"&&getPass[0]=="0") getPass[0]=i+1;
if (string.substring(i,i+1)=="2"&&getPass[1]=="0") getPass[1]=i+1;
if (string.substring(i,i+1)=="3"&&getPass[2]=="0") getPass[2]=i+1;
if (string.substring(i,i+1)=="4"&&getPass[3]=="0") getPass[3]=i+1;
}
solution=getPass+"5";
solution=solution.replace(/[,]/g,'');
var webpage = "";
var nick = "var stumpy = prompt('Password:',solution);for (y=1; y<5; y++) {webpage += (string.indexOf(y)+1);}webpage += 5;if (stumpy==webpage){webpage = webpage + '.php';alert('Yeah!!!');}else{alert('hahaha');}";
eval(nick);
//-->
</script>

This snippet will through the solution right into the prompt. You don't have to enter anything - just hit ok. If the end of the code would have location.href= instead of alert, you would be there...

Cheers - Pit

Originally posted by redragon
So basically you are getting the formula to basically give you the answer before it compares it with your answer? Not quite — more like, merely getting the answer after the formula has been executed.Originally posted by redragon
One more thing. If the answer is the "webpage + 'php'" the what does the "eval(nick)" do? Since all of the JavaScript code is contained within a variable, you must use the eval function in order for it to run. Why the author did this? I'm not sure; but that's the answer to your question.

If you'd like an example of a truly secure client-side JavaScript login, please feel free to ask.

No, I know there is more secure methods out there. I just hate not understanding something. Am I right about the code I posted?

Another thing. This is an inbetween page right? What I mean is that the first page is the page with the link on it to this page. Ofcourse this page throws up a prompt window for your password. Once you enter it and it matches up it sends you to the third and final page which is the one being protected.

I can't say for sure as I've not seen a "live" page with this script in action on it. However, I've edited my previous post to contain my answer to your other previous question.

You may also want to consider checking out Pittimann's excellent example — that should further help you understand how this works.

Fredmv, I hate to be such a simplton but Prittman's (sorry mispelled) is so far above my hand he might as well be writting in greek. If you got the timewould it be possible to break his example down for me? And after your finished with that direct me to were I can donate because I deffinatly need to. lol

Hi!

In short: the little for-loop in the script is checking for the positions of the numbers' 1, 2 3 and 4 first appearance in the string. If one of these numbers doesn't appear at all, the value will be 0.

In your example these four numbers do all not appear, that makes 0000 the first four digits of the "password". After the loop, the number 5 is concatenated to the string; gives 00005 as the correct password.

Little example with a modified string:

var string = "en1crypted password";
"1" is at pos 3 of the string; 2, 3 and 4 are not present - the password would be 30005...

Cheers - Pit

Great explanation Pittimann... :D

Oddly enough, I get that. lol Thanks I don't think I'm finished completely understanding it but I'm going to go play a bit and see what I come up with.

Just to check. So, the password isn't encrypted at all. It's hidden. Meaning is the line is:

var string = "BE1PASIDUFKENFDK";

It would be the same because the formula is looking for a certain alpha/numeric value in a certain position in the string. Right?

Hi!Great explanation Pittimann...:rolleyes: :rolleyes:
Thanks.

To redragon: right - this example would also give 30005

Cheers - Pit

Edit: sorry - not completely right. Not alpha/numeric, just numeric...

I was play around and I get this error with my browser.

line: 21
Char:1
Error: Expected ';'
Code: 0
URL: file on my desktop

Is there a program that I can use to see what it is referring to? I have a feeling the notepad is not going to match up. lol.

Also, Prittimann, would the end result for "3wr315rokeul7323ll" be 30035? Just checking my logic.

Also, where part of the formula tells you that there are four digits plus 5?

Originally posted by redragon
Is there a program that I can use to see what it is referring to? I assume you are using that browser from hell (i.e., Internet Explorer) based on the error message formation? Get a real browser like Mozilla (http://www.mozilla.org/) for much better JavaScript error messages; a JavaScript console; a JavaScript debugger, among tons of other things. Also note, if you just want the browser, get Mozilla Firebird (http://www.mozilla.org/products/firebird/) — Mozilla, the "suite", comes with a mail client, extra developer add-ons, etc. Mozilla Firebird is only the browser. Note, however, you can still get features in which are contained in the full version of Mozilla via extensions (http://www.texturizer.net/firebird/extensions/).

Hi!

No! This example would give 515105

first pos of "1": 5
first pos of "2": 15
first pos of "3": 1
first pos of "4": not there=> 0

plus 5=>515105

for (y=1; y<5; y++) {webpage += (string.indexOf(y)+1);}webpage += 5;

the green part is responsible for concatenating 5...

Cheers - Pit