This is a secure solution for password protection with JavaScript. It works by encrypting the password and the content. Nothing is revealed in the source code, and it cannot be beaten by disabling JavaScript.
The download contains three files: Protect Content.html lets you generate your own protected content. Demo.html is a protected document, and as long as it remains unbroken, it's your proof that this software works. You can also use it as a template for your own protected pages. Demo, with hint.html is another protected document that tells you the password. This is meant to show that the first demo is not a trick or a fake.
Enjoy! Feel free to reply with questions or comments.
Only if you're delivering database-driven content, and the people who come asking for JS password protection usually aren't. So we're only dealing with static pages, which are prepared by the developer in advance.
Using JS for password protection is pointless. It is true that the JS ecnryption you are using is better than most, but having the encryption method embedded in the page is still inpractical and causes a major security problem.
Only if you're delivering database-driven content.
True
And the people who come asking for JS password protection usually aren't.
Not sure about that. If they are not then they get a false sense of security.
but having the encryption method embedded in the page is still inpractical and causes a major security problem.
Yes a little inpractical, but using a known algorithm is no security threat. Many widely used algorithms for cryptography is publicly available - and should be.
...but having the encryption method embedded in the page is still inpractical and causes a major security problem.
Honestly, it isn't a security problem at all. In fact, the best algorithms are not kept secret. They're open standards.
Anytime you submit a credit card # or SSN over an HTTPS connection, you're relying on open and publicly available encryption algorithms. That they have been under public scrutiny for years and are still unbroken is a testament to their strength.
The Rabbit cipher I used has been publicly available since 2003 and is still unbroken.
How so? The solution I posted offers true security.
If they are using a server-side language to generate code and sending it in plain text to the client. Newcommers to JavaScript might not have a thorough understanding of how things work and may so misunderstand how your script works.
Again may I ask how so? The only complaint you might have is needing to download the JS file. But it's only 6.6KB. That's not at all unreasonable.
My subjective meaning. Others might not find it inpractical.
If they're using a server-side language, then they should rightly be told to use that to implement password protection. This JS protection merely satisfies the small niche of users who don't have, or haven't learned, a server-side language.
If they're using a server-side language, then they should rightly be told to use that to implement password protection. This JS protection merely satisfies the small niche of users who don't have, or haven't learned, a server-side language.
It's only a cypher-decypher matter, not a real server-level secure method. As long as the algorithm is to be seen, a javascript cypher can be decrypted, sooner or latter, by any good math teacher.
Cypher-decyphering, as you call it, is a secure method. For instance, when you submit a credit card number or a social security number over an SSL connection (https), encryption is what keeps that information safe. Or when you use SFTP (secure FTP), you're relying on encryption. Even when you password protect your browser-saved passwords, you're relying on encryption then too.
These are all open algorithms. Anyone may examine them, even math teachers. But not even the world's best cryptographers can break them. That's why they're used to protect the most sensitive information sent through the Internet.
You may distrust them if you wish, but it's wrong to say they aren't secure.
Well done, but you should put a crystal-clear warning on the encryption page that the strength of the password is magnitudes more important than it would be for a server-side solution. Having both the salt and the target SHA1 hash readily available leaves the door wide open for a dictionary attack, so a decently sized passphrase or an auto-generated password like NL5^8]7(t-B[t+g is an absolute must.
Well done Jeff. You have the smallest and most practical password protection JavaScript. The only other ones that actually work are at least 50% bigger than your script which makes them far less useful.
Reply With Quote
Originally Posted by Jeff Mott
Bookmarks