Sending password onClick from form

ernest1a · July 2, 2010, 1:24pm

I have a registration form which is processed by using javascript and php. First I show registration.php and data from it is sended with ajax to registration_process.php

<form id=“registration”>
Name<input type=“name” id=“name” />
Password<input type=“password” id=“password” />
</form>
<script>
$(document).ready(function(){
$(‘#submit’).click(function() {
var name=$(‘#name’).val();
var password=$(‘#password’).val();
//then it sends those data with ajax to registration.php
…
</script>

registration_process.php
<?
if($_POST[password]){
$password=$_POST[password]
…
}
?>

The problem is that is probably not secure way. Is any way to encrypt value of input? For example something like this
var name=$(‘#name’).encrypt().val();

tnx!

felgall · July 2, 2010, 7:50pm

The most secure way to send it if you don’t have an SSL certificate is as plain text.

If you use JavaScript to “encrypt” it to send then you also need to accept the plain text version from those without JavaScript and that means that there are two alternative passwords that will work making it twice as easy to crack as if you only send in plain text. The encrypted one will be no harder to crack than a plain text one since all that is necessary is to capture the value being passed as that IS the password as far as the server is concerned.

ernest1a · July 2, 2010, 5:26pm

Is that even any huge security risk if I send password with ajax without encrypt before I validate it?

I see that also Facebook doesn’t do it. As you can try, Facebook sends to 2nd step of registration the value of password with ajax (POST reg_passwd__) without encrypt it.

chris_upjohn · July 2, 2010, 2:30pm

The best thing you can do without buying an SSL certificate is to send an encrypted PHP string using either base64, sha1 or md5 randomly mixed with say 5 static characters to ensure the code cannot be cracked. You could also send a value that can only be passed by the javascript form say something like ajax_submission then on the PHP side check for both of those values and run the encrypted string against something to ensure the user sending the form isn’t a security risk.

The way i would secure the password is by base64 encoding it using javascript then decode it that way it has at least some protection, i believe there are ways to fully encrypt values using javascript but i don’t know of any off the top of my head