:: Encrypted Password script Will Not Validate [Archive]

djr33

08-20-2013, 03:51 AM

From your link, it looks like there is exactly one error remaining. This is a "missing action" in the form tag, and it's actually not difficult to fix.

You should be able to find a line that looks something like this (use edit>find if you don't see it easily), according to the validator on line 184:
<form name="password" ...>
You just need to add an "action" to that, like this:
<form name="password" action="">
The action itself is the page to which the form submits. In this case, leaving it blank (with "", or the 'empty string') will mean it submits to the current page, which is fine. You could also use "#", which should make it not submit, a common trick with Javascript.

Anyway, it doesn't really matter-- that error is irrelevant because you don't want this to submit at all. But there's no harm in adding the self-submission option above (which is what would happen anyway, I think). It will only have an effect if Javascript is disabled-- the page will submit to itself (=reload), and nothing more.
[Note that you should generally fix errors when they come up, but there's only a technicality in having a "valid" page-- the validator isn't creative and doesn't know when there's an important or unimportant error. Sometimes it's possible to have a completely acceptable page, but with a few technical errors that don't really matter. Just be aware of the exceptions and why you're ignoring the validator in those cases. Still, you can usually fix it if you want to.]

Beyond this, I will also add that this script is about 12 years old (=outdated). It works fine, but it doesn't provide any real security (that's impossible with Javascript). It can be fun, but you shouldn't rely on it for anything very important. What it does is this:
1. It only works if you have the right combination of username and password. If not, the Javascript will not function. However, it is possible for someone to read the source code (I just did) and determine how the script works to bypass it:
2. When you type in a password, that is the name of the page you get redirected to. So once you know this, you no longer need the username. You can just use /PASSWORD.htm, and that's all. You can ignore the Javascript.

Now, this is technically still some kind of security-- users must know the password (either using the Javascript code, or manually) in order to access the new URL. But the only security is that URL-- if, for example, somehow it ends up being accessed and indexed by Google, then everyone can find it anyway.

So it's useful for some things and it does work, but it's only as secure as having a secret page on your website. So you could add a page called "secret.htm" and that would be as secure as this script. If no one knows to look for it, then it's completely hidden. If some people know, and others do not, then it's still probably secure, unless those that know tell others, or somehow it ends up being indexed by Google.

And just remember-- use a weird filename for the page. Just like any password, don't use something anyone might guess. They probably won't guess it, but they could. So pick something unlikely (a random string of letters and numbers is a good idea).

You can't rely on this for real "security". If you need that, then you'll need to look into serverside code. One option to protect a file or directory is .htaccess (there's a tool here on DD that can help). Beyond that, such as for usernames/logins, you would need a serverside programming language like PHP and probably a database to store the user information. It's more work, but that can be completely secure.