rejetto forum

Encrypt password between client and server

0 Members and 1 Guest are viewing this topic.

Offline NaitLee

  • Tireless poster
  • ****
    • Posts: 203
  • Computer-brain boy
    • View Profile
Currently when we change our password, the password sent to client is not encrypted.
When we login, the password is dealt with sha256. But if hacker hijacked the result, he can still do things with correct ajax method.

So beside https, how to get the best effect of encryption between client and server?
I think, The message sent between client and server should be hard to deal.
And we should find a way, to send password/encryption-related message without/cannot fully seen by hacker.

Scripting command: Data manipulation maybe useful as there are some mathematical things.
Additionally, {.get account||password.} can get original password, {.sha256|A.} can make it undiscoverable, {.time|yyyymmddhhMMss.} can get a timestamp...

Anyone can share a bit suggestions? :)
"Computation is not forbidden magic."
Takeback Template | PHFS


Offline Mars

  • Operator
  • Tireless poster
  • *****
    • Posts: 2061
    • View Profile
Currently when we change our password, the password sent to client is not encrypted.
When we login, the password is dealt with sha256. But if hacker hijacked the result, he can still do things with correct ajax method.

So beside https, how to get the best effect of encryption between client and server?
I think, The message sent between client and server should be hard to deal.
And we should find a way, to send password/encryption-related message without/cannot fully seen by hacker.

Scripting command: Data manipulation maybe useful as there are some mathematical things.
Additionally, {.get account||password.} can get original password, {.sha256|A.} can make it undiscoverable, {.time|yyyymmddhhMMss.} can get a timestamp...

Anyone can share a bit suggestions? :)

look at this post
http://rejetto.com/forum/index.php?topic=13326.msg1066139#msg1066139


Offline Richard_F

  • Occasional poster
  • *
    • Posts: 9
    • View Profile
Hello, NaitLee!

yeah, i had this problem for some time too. Unfortunatly i am not sure how fix it. (last time i got help ;D) But maybe this post https://www.technikhiwi.de/wordpress-hosting-test/#Sicherheit can help you. It is in german, so use a site-translation. There is some information about encrypt hosting and SSL-certification.


Offline LeoNeeson

  • Tireless poster
  • ****
    • Posts: 857
  • Status: On hiatus       (sporadically here)
    • View Profile
    • twitter.com/LeoNeeson
Good idea. :) Some time ago, I've proposed something different: adding Two-Factor Authentication (2FA) to HFS. Although it's not 100% bullet-proof secure, 2FA could add another layer of security to HFS (for extra peace of mind, since in case a password is stolen, you would still need a correct 2FA code).
HFS in Spanish (HFS en Español) / How to compile HFS (Tutorial)
» Currently taking a break, until HFS v2.4 get his stable version.


Offline NaitLee

  • Tireless poster
  • ****
    • Posts: 203
  • Computer-brain boy
    • View Profile
Some time ago, I've proposed something different: adding Two-Factor Authentication (2FA) to HFS

Seems the account notes key can be used to store the second password, and even more ;) So this is also possible :D
"Computation is not forbidden magic."
Takeback Template | PHFS


Offline Mars

  • Operator
  • Tireless poster
  • *****
    • Posts: 2061
    • View Profile
In the long term, the password that can be displayed in clear in the options should disappear to make room for an encryption in the form md5 or sha256 or compatible with the password file under linux, the various forms of authentication between clients and server would be adapted and thus avoid to be able to hack clear identifiers in the ini file,

the current problem is to find a standardized format for sending encrypted data in binary or text form in the forms and to recover it correctly whether in ansi or in widestring, the conversion and interpretation of the data received byte by byte complicates a little the thing, I had made an attempt by codifying the whole in the form of hexadecimal data, but not being at the top on the javascript, the encoding then the decoding gave constantly discordant results so I left aside in waiting for rejetto to have enough time to go back to hfs
« Last Edit: September 30, 2020, 04:39:36 PM by Mars »