Any help??

neverett · January 25, 2008

function validate_oldpw(opw, pw){
		with(opw, pw){
			var old = opw.value;
			old = md5(old);
			if(opw.value == ""){ alert("The [old] password you entered does not match your current account password.1"); return false; }
			if(md5(old) == pw.value){ return true; }
			else{ alert("The [old] password you entered does not match your current account password.2"); return false; }
		}
}

Any idea why this won't work. I'm trying to compare two passwords. pw.value is a password stored via the md5 method. I'm trying to take opw and check it with the supplied pw.value. Let me know if you have any ideas. Thanks in advance!!!

rajivgonsalves · January 25, 2008

where is md5 function declared ?

neverett · January 25, 2008

It's built into Javascript correct? The md5 hash?

rajivgonsalves · January 25, 2008

nope there is no inbuilt md5 function in javascript however I googled and found this

http://www.webtoolkit.info/javascript-md5.html

emehrkay · January 25, 2008

what is the point of md5'in two string in javascript for comparison purposes?

Just compare the strings

neverett · January 28, 2008

That would be nice if I could just compare the strings, but I have queried the already encrypted password out of the database therefore i need to encrypt the non-encrypted password entered in the form to be sure the two match.

laffin · January 28, 2008

and why wud u do that?

now you have given away a great deal in cracking the pw.

the md5 hash shudn be made available to the user at all. with this hash someone can generate new hashs, and come up with a password that isnt the same as the original password, but gives the same md5 hash.

neverett · January 29, 2008

But the md5 hash can be found anywhere on the net. How is this any different?

laffin · January 29, 2008

u give the result of the md5, that's what i'm talking about. not the function.

if someone were to see the md5 hash of a password, they got 2 keys to a puzzle of a user acct.

1) The username

2) the md5 hash itself (the result of md5)

now they can run a routine offline to hack that acct.

u want to make things harder, reason to use md5 hashes instead of plain text passwords. not defeat the purpose of md5 hashing

neverett · January 29, 2008

But they shouldn't be able to see the hashed password can they (the pw var)??? That should all be hidden. How can I go about fixing this? I really appreciate your input and pointing this out to me.

Sign In

Any help??

Recommended Posts

neverett

Link to comment

Share on other sites

rajivgonsalves

Link to comment

Share on other sites

neverett

Link to comment

Share on other sites

rajivgonsalves

Link to comment

Share on other sites

emehrkay

Link to comment

Share on other sites

neverett

Link to comment

Share on other sites

laffin

Link to comment

Share on other sites

neverett

Link to comment

Share on other sites

laffin

Link to comment

Share on other sites

neverett

Link to comment

Share on other sites

Archived

Browse

Activity

Important Information