What flaws are present in this authentication system?

As a developer with a passion for coding, rather than a security expert, I came across The definitive guide to form-based website authentication, which highlighted the importance of SSL or complex algorithms in safeguarding login data from eavesdropping. Despite my lack of expertise in computer security, I fail to spot any glaring flaws in the following authentication method:

  1. When the login button is pressed, the client requests a lengthy random string from the server via JavaScript.
  2. The client then hashes both the random message and the password (which has not been transmitted).
  3. Using blowfish or another encryption algorithm, the client encrypts the hash of the random message with the password hash.
  4. The resulting encrypted data is sent to the server by the client.
  5. On the server side, the message is decrypted using the password hash stored in the database (as only hashes are kept, not actual passwords).
  6. If the decrypted hash matches the original message hash, the client is authenticated.

What am I missing here? The password nor its hash are ever transmitted over the network, with the server solely storing password hashes...

javascriptauthenticationclient-side

Answer №1

In this authentication system, a password is not needed for verification, only the hash of the password. Essentially, the hash of the password can be considered as the original password from an encryption standpoint. Therefore:

  • If the salt and hash(pass+salt) are intercepted, it only takes one step to de-hash the password
  • The server stores passwords in plain text

Furthermore, using an unencrypted connection leaves the system susceptible to man-in-the-middle attacks.

Similar questions

If you have not found the answer to your question or you are interested in this topic, then look at other similar questions below or use the search

Create dynamic automatic titles in HTML with JavaScript

Below is the code snippet to add an image with a link to the home-page and an h1 with the document name (if there isn't one already). This HTML code includes a JavaScript file reference in the <head> section and uses a <h1> tag for the ti ...

javascripthtmldom

Issue with AngularJS toggle being obstructed by Math operation

I am facing an issue with my table rows where cells are being filled with words from an API. I have implemented a feature that allows users to toggle the selection of a cell. To achieve this, I am using ng-class={selected:toggle} and ng-click="toggle = !to ...

javascriptangularjs

Problems with the navigation bar scrolling in Bootstrap

The project I'm currently working on is located at zarwanhashem.com If you'd like to see my previous question along with the code, you can check it out here: Bootstrap one page website theme formatting problems Although the selected answer help ...

javascriptjqueryhtmlcsstwitter-bootstrap

Route all Express JS paths to a static maintenance page

Need help with setting up a static Under construction page for an Angular Web App with Express Node JS Backend. I have a function called initStaticPages that initializes all routes and have added a new Page served via /maintenance. However, when trying to ...

javascriptnode.jsexpressredirect

Ways to create two separate references pointing to a single object

Here is the code I am currently running: function TypeOfCar(vehicle) { this.vehicle = vehicle; } var sedan = new TypeOfCar('sedan'); var carType = race; console.log(carType); console.log(sedan); After running the code, the output is as follo ...

javascript

Preventing page refresh when typing in a form input: Tips and tricks

I'm currently puzzled by a small issue. In my web application, I have a chat box that consists of an input[type='text'] field and a button. My goal is to send the message to the server and clear the input field whenever the user clicks the b ...

javascripthtmlangularjstwitter-bootstrap

What is the best way to invoke a component method from an event listener of a different component using ($on)?

I recently came across information on Non-Parent-Child Communication at https://v2.vuejs.org/v2/guide/components.html#Non-Parent-Child-Communication, which explains the concept of using bus events to communicate between components. However, I'm still ...

javascriptvue.jsvuejs2vue-component

Transition smoothly between two images with CSS or jQuery

I am working on a project where I need to implement a hover effect that fades in a second image above the initial image. The challenge is to ensure that the second image remains hidden initially and smoothly fades in without causing the initial image to fa ...

javascriptjqueryhtmlcssimage

The Iron Seal feature is ineffective when a user tries to log in

Iron.seal isn't properly updating the npm module Iron, which is causing login issues for users. var obj = { a: 1, b: 2, c: [3, 4, 5], d: { e: 'f' } }; var password = 'some_not_random_password_that_is_at_lea ...

javascriptnode.jsnpmiron

Transferring data from jQuery Ajax to PHP

I'm facing a challenge in retrieving a value back to PHP that I can manipulate and save to the database. It appears that using the GET method with jQuery AJAX is not yielding the desired results. Below is the PHP code snippet where I attempt to captur ...

phpjavascriptjqueryajax

Arrange divs in a grid layout with evenly distributed dynamic spacing

I am not a big fan of bootstrap, so I was wondering if it is possible to achieve the layout without using it. I have 6 divs that I want to arrange in 2 rows and 3 columns. I need the space between each row/column to be precise. While I can calculate this ...

javascripthtmlcssflexbox

Troubleshooting Issue with jQuery onclick Function not Transmitting Data

Why is this error occurring: Uncaught TypeError: Object [object global] has no method 'data' HTML: $attributes = array('class' => 'main post', 'onsubmit' => 'validateModules(event)', 'dataid& ...

javascriptjqueryajax

Insert a Facebook like button within a designated div

Can anyone figure out why the Facebook button isn't functioning properly? ---- ...

javascriptjqueryfacebookfacebook-like

Angular AutoComplete feature does not accurately filter the list items

I need to implement an auto-complete feature for the county field due to a large number of items in the list causing inconvenience to users who have to scroll extensively. Currently, there are two issues with the code. The first problem is that although t ...

javascriptangulartypescript

Using vuex-class to interact with Vuex in non-Vue components

Is it possible to access Vuex outside of a Vue component using vuex-class? In a typical scenario, the process is quite straightforward: // some JS file import store from './../store'; // path to Vuex store store.commit('ux/mutationName&ap ...

javascripttypescriptvue.jsvuex

What is the best way to display a template after submitting data via AJAX in the Flask framework?

Encountering an issue where I am unable to open render_template after posting data with ajax. Below is my ajax code: if ($(this).attr("value") == "button-three") { var skoring = getRadioVal(document.getElementById('mentodeNegasi'),'neg ...

javascriptjquerypythonajaxflask

Accessing the value of a hidden field within an ng-repeat loop when binding to an HTML table

I am working on a project where I have an HTML table with data being bound from AngularJS. The structure looks something like this: <tr ng-repeat="item in List| filter: { MachineType: 'Physical' }"> <td>{{item.MachineType}}< ...

javascripthtmlangularjs

Dividing the sentences inputted into a text area into an array and determining which sentence has been altered upon keyup

One of my current tasks involves handling the content within a textarea element: <textarea id="text"> Hello! Who am I? This is the third sentence. This, is another sentence. </textarea> Given that a textarea can be focused, I am seeking a met ...

javascriptjquerysplit

Issue encountered at 'site construction' phase: failure in build script with exit code 2

I am a novice and struggling to solve this error. I have attempted to fix it by adjusting the deploy settings, but I can't seem to resolve this compilation error. The syntax errors are overwhelming, and I'm not sure if there is something crucial ...

javascriptnode.jsreactjsnext.jsdependencies

Browsing through a collection of pictures, I find myself wanting to linger on the final image rather than swiftly exiting the window

The functionality currently implemented is as follows: $("#btnNextImage").click(function (e) { var win = window.opener.parent; win.postMessage('next', '*'); window.close(); //close ...

javascriptjquery