After hours of googling, following videos and a failed attempt of installing SSL on my local wamp server, I am on the cusp of giving up.
So Im here to ask for help
I have a simple form, logging a user in and comparing details with a php database, the password is stored in an MD5 hash in the database.
I know md5 is insecure and https is the bast way to secure the transmission etc, but all i need here is to simply mask the password during transmission so its not visable in plain text during a wireshark capture.
The form code is:
<form method="post" action="index.php" name="loginform" id="loginform">
<fieldset>
<label for="username">Username:</label><input type="text" name="username" id="username" /><br />
<label for="password">Password:</label><input type="password" name="password" id="password" /><br />
<input type="submit" name="login" id="login" value="Login" />
</fieldset>
</form>
Is there a way to set the password as something like:
<label for="password">Password:</label><input type=md5("password")
Again its just something fast and simple to implement I need.
Thanks in advance
Wayne
A solution is to use a javascript MD5 library like https://github.com/blueimp/JavaScript-MD5 and call the md5() function on form submission. You will not be able to do this with html code alone.
As you know, normally the md5 hashing of a password is done on the server side, by the index.php page in your code. The https transmission protects the password from eavesdropping. If wireshark is able to decrypt it, that is because wireshark intercepts the communication as man-in-the-middle and produces an other https certificate for the url used. The browser should warn the user that the communication is not secure because the certificate is not from a certification authority trusted by the browser. If despite this, the user continues, he should be aware that everything on his page can be modified, including the code that does the hashing.