Would be a big pain in the butt for third-party links as it would throwing warnings at users.Easy solution is to force SSL for your entire site. If you are that serious about security, it's something you should be doing anyway to avoid session cookie theft, etc.
If the password is already being sniffed, a simple client-side MD5 is going to do little to stop anyone (especially since the salt would by definition be exposed to any attacker).
Infact I am now testing a new addon which converts from vbulletin, ipb and xenforo hashes to using bcrypt (with a user option for number of rounds). On my kit using 14 rounds takes around 1.2 seconds (thats the delay the user will get when logging in, or changing their password) which is good enough.It could use better password hashing. However if people get your hashes you would have other more serious problems to deal with. And vb's hashing wouldn't be any better.
Any hash is only secure as the password used, it all depends on what area of the keyspace the brute forces target first, ie lowercase, UPPERcase, numerics etc. The point is that SHA-2 is still regarded as a secure hash and safe for use.
Easy solution is to force SSL for your entire site. If you are that serious about security, it's something you should be doing anyway to avoid session cookie theft, etc.
If the password is already being sniffed, a simple client-side MD5 is going to do little to stop anyone (especially since the salt would by definition be exposed to any attacker).
The fact is it isn't secure. You can't expect it not to get cracked and any user without a good long password will get cracked fast.
Only if the user is stupid/not paying attention. SSLstrip works by proxying the HTTPS connection between the MITM and the server using an HTTP connection between MITM and the user. I'm not going to enter my credit card details or my bank account password if I see that the connection, which should be HTTPS, is not HTTPS.SSL can be compromised too if you use a man-in-the-middle attack (ie. DNS Changer Malware) and SSLstrip.
Ah hell naw cmon yahoo!
We use essential cookies to make this site work, and optional cookies to enhance your experience.