Aquillar wrote:Yes I know but for the kid who's trying to get myspace passwords, this would be a *beep* and he would probably just ignore it. It's better than nothing. The session ID could change immediately after login and then it would be useless to someone who managed to grab the hash. If the session ID doesn't change, then they never sent the right password to begin with. Password is now protected.
I don't really see how the session id is relevant, given if they get the md5 hash of the password, then they can just use that to login themselves. The hash is always the same, so they can just get their own session.
Plus, giving someone an md5 hash of a poorly-chosen password is really extra bad: they can use the hash on their own computer to solve the actual password. This is why your /etc/shadow file is only readable by root. You'd then at least have to enforce some kind of password standard on all your users.
That's why the only good solution is SSL: you really need asymmetric encryption to set up a secure connection. A one-way function just won't cut it.
Anyway, for most people just putting the whole forum in https would work, the only problem is that with sites that have a lot of traffic, it puts an extra load on the server. I didn't want to argue with anyone about how hard it is to have a site that flips between http and https for passwords, because I've never implemented it myself--some problem about the cookies being encrtyped? But other software does this, so I know it's possible.
But I'm glad I'm not alone in thinking this is important.