Jump to content

validate password


Recommended Posts

Im using javascript and php to verify what is typed in the "changepassword" text box = the current password in $password variable from php.


print "<script type=\"text/javascript\">";
   print "
   var currentpass = \"$password\";
   var oldpass		= document.changepassword.oldpassword.value;
   function chkpass(currentpass,oldpass) {
     if(currentpass == oldpass)
      document.changepassword.response.value = \"Match\";
   print "</script>"
   print "<form name=\"changepassword\" method=\"POST\" action=\"dashboardt.php?control=changepass\">";
       print "<table width=\"50%\" class=\"table2\">";
       print "<tr>";
       print "<td align=\"center\">Current Password:</td>";
       print "<td class=\"td2\">$icon<input type=\"password\" name=\"oldpassword\" onchange=\"chkpass()\"><input type=\"text\" name=\"response\"></td>";
       print "</tr>";
       print "<tr>";
       print "<td>New Password:</td>";
       print "<td class=\"td2\">$icon<input type=\"password\" name=\"newpassword\"></td>";
       print "</tr>";
       print "<tr>";
       print "<td colspan=\"2\"><input type=\"submit\" class=\"submit1\" value=\"Change Password\"></td>";
       print "</tr>";
       print "</table>";
   print "</form>";

Link to comment
Share on other sites

Also, check out onkeyup.  onchange sucks for this.  I would also use a span tag so you can stylize it rather than a text area they can type in, then change innerHTML, or use a picture (tick or x).  When you use getElementById, it should be easy.  Oh, and call your parameters, or set them inside the function.  Parameters inside the function are local variables, while the ones outside are global.

Link to comment
Share on other sites

Here, if you type "testing" into the field you'll get that it matches.



	<title>Change Password</title>
	<script type="text/javascript">
		function chkpass()
			var oldpass = "testing";
			var match = window.document.getElementById("oldpass").value == oldpass ? "Matches" : "Doesn't Match";

			window.document.getElementById("match").innerHTML = match;

	<input type="password" id="oldpass" onkeyup="chkpass();" />
	<span id="match" style="font-weight: bold;">Enter Password</span>

Link to comment
Share on other sites

The problem is here:


document.changepassword.response.value = \"Match\";


Check out getElementById(): http://www.javascript-coder.com/javascript-form/getelementbyid-form.phtml


or other methods to access the HTML DOM in javascript: http://www.quirksmode.org/dom/intro.html


What's the problem with it? You can access forms like that.

Link to comment
Share on other sites

There are three things I'd like to comment upon, DrTrans, based upon your last post. Three rather major points, about your security.


  1. [*]You do not want to use any client-side checking of passwords, as that renders the whole check pointless and can/will leak the passwords.

Why attack your site's database, when they get sent the juicy stuff in the login form?

[*]Don't use MD5 for hashing passwords, it's been proven thoroughly broken since 2006 (took less than 1 min to generate a collision, on a laptop computer). Use mcrypt () or crypt () with SHA256 or better.

[*]You're also not salting your passwords, which is the gravest error of them all. Always use a salt when hashing the passwords, which is individual for each user and changed every time the password changes.

I strongly recommend that you read this article, preferably multiple times, until you're 100% certain you understand everything it states. Security is not to be trifled with, especially not when you're saving other people's passwords, usernames and e-mails (or worse).

Link to comment
Share on other sites

I do use salt to encrypt general passwords, but im using md5 for inner passwords.


  user accounts are using salt.


override passwords are using md5. ( admin override). and the reason they cant use salt is because the passwords are generated in another application and they supply the md5 hash string.


Link to comment
Share on other sites

In this case I'd either replace or rewrite the password handling of the inner system. Will save you a lot of headaches, and increase the security of the system in general.


I do hope that this "inner password" is in addition to the regular user account password, and not completely unrelated. Because, if it is, then your user-account security is a complete waste; The admin system would be trivial to crack, and any would-be attacker doesn't even have to worry about the regular accounts.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.