validate password

[DrTrans]

Im using javascript and php to verify what is typed in the "changepassword" text box = the current password in $password variable from php.

 

print "<script type=\"text/javascript\">";
   print "
   
   var currentpass = \"$password\";
   var oldpass		= document.changepassword.oldpassword.value;
   
   function chkpass(currentpass,oldpass) {
     if(currentpass == oldpass)
     
      document.changepassword.response.value = \"Match\";
         
  
   }
   
   
   ";
   
   
   print "</script>"
   print "<form name=\"changepassword\" method=\"POST\" action=\"dashboardt.php?control=changepass\">";
       print "<table width=\"50%\" class=\"table2\">";
       print "<tr>";
       print "<td align=\"center\">Current Password:</td>";
       print "<td class=\"td2\">$icon<input type=\"password\" name=\"oldpassword\" onchange=\"chkpass()\"><input type=\"text\" name=\"response\"></td>";
       print "</tr>";
       print "<tr>";
       print "<td>New Password:</td>";
       print "<td class=\"td2\">$icon<input type=\"password\" name=\"newpassword\"></td>";
       print "</tr>";
       print "<tr>";
       print "<td colspan=\"2\"><input type=\"submit\" class=\"submit1\" value=\"Change Password\"></td>";
       print "</tr>";
       print "</table>";
   print "</form>";

[ialsoagree]

What is the problem?

[DrTrans]

Will not load the page with the javascript part.

 

Im completely noob at using JS!.

[ialsoagree]

The problem is here:

 

document.changepassword.response.value = \"Match\";

 

Check out getElementById(): http://www.javascript-coder.com/javascript-form/getelementbyid-form.phtml

 

or other methods to access the HTML DOM in javascript: http://www.quirksmode.org/dom/intro.html

[codefossa]

Also, check out onkeyup.  onchange sucks for this.  I would also use a span tag so you can stylize it rather than a text area they can type in, then change innerHTML, or use a picture (tick or x).  When you use getElementById, it should be easy.  Oh, and call your parameters, or set them inside the function.  Parameters inside the function are local variables, while the ones outside are global.

[codefossa]

Here, if you type "testing" into the field you'll get that it matches.

http://xaotique.no-ip.org/tmp.php

 

<html>
<head>
	<title>Change Password</title>
	<script type="text/javascript">
		function chkpass()
		{
			var oldpass = "testing";
			var match = window.document.getElementById("oldpass").value == oldpass ? "Matches" : "Doesn't Match";

			window.document.getElementById("match").innerHTML = match;
		}
	</script>
</head>

<body>
	<input type="password" id="oldpass" onkeyup="chkpass();" />
	<span id="match" style="font-weight: bold;">Enter Password</span>
</body>
</html>

[DrTrans]

As i was trying to do this i figured out that javascript does not have a md5 generator built it to see if it actually matched.

 

 

 

[Adam]

The problem is here:

 

document.changepassword.response.value = \"Match\";

 

Check out getElementById(): http://www.javascript-coder.com/javascript-form/getelementbyid-form.phtml

 

or other methods to access the HTML DOM in javascript: http://www.quirksmode.org/dom/intro.html

 

What's the problem with it? You can access forms like that.

[Christian F.]

There are three things I'd like to comment upon, DrTrans, based upon your last post. Three rather major points, about your security.

 

1. [*]You do not want to use any client-side checking of passwords, as that renders the whole check pointless and can/will leak the passwords.

Why attack your site's database, when they get sent the juicy stuff in the login form?

[*]Don't use MD5 for hashing passwords, it's been proven thoroughly broken since 2006 (took less than 1 min to generate a collision, on a laptop computer). Use mcrypt () or crypt () with SHA256 or better.

[*]You're also not salting your passwords, which is the gravest error of them all. Always use a salt when hashing the passwords, which is individual for each user and changed every time the password changes.

I strongly recommend that you read this article, preferably multiple times, until you're 100% certain you understand everything it states. Security is not to be trifled with, especially not when you're saving other people's passwords, usernames and e-mails (or worse).

[DrTrans]

I do use salt to encrypt general passwords, but im using md5 for inner passwords.

 

  user accounts are using salt.

 

override passwords are using md5. ( admin override). and the reason they cant use salt is because the passwords are generated in another application and they supply the md5 hash string.

 

[Christian F.]

In this case I'd either replace or rewrite the password handling of the inner system. Will save you a lot of headaches, and increase the security of the system in general.

 

I do hope that this "inner password" is in addition to the regular user account password, and not completely unrelated. Because, if it is, then your user-account security is a complete waste; The admin system would be trivial to crack, and any would-be attacker doesn't even have to worry about the regular accounts.