[DHTML] Enhanced "Encrypted Password" script

[Twey]

1) CODE TITLE:
Enhanced "encrypted password" script.

2) AUTHOR NAME/NOTES:
Twey, http://www.twey.co.uk/, twey at aforementioned domain. Email me if you like, but you'll probably get a faster response on the DD board, http://www.dynamicdrive.com/forums/.

3) DESCRIPTION:
Rewrite of Robert Heslop's "Encrypted Password" script, originally so the code was actually of a half-acceptable standard. Includes a few frequently-requested features and a couple that nobody wants and probably nobody will use, but it was no big hassle to code them in and makes it look neater anyway. Note that, since my digital cryptography has been known to be deciphered by small children (a hamster had a damn good crack at it once, but thankfully failed), the demonstration uses Paul Andrew Johnson's Javascript MD5 implementation, which is free to use and modify under the terms of the BSD license (I presume he means this one). However, the script has been coded specifically to make it easy to "plug in" any algorithm that suits you, and Rob Heslop's algorithm remains commented in the source code (although I don't recommend it, since it gives away the approximate length of the hashed string).

4) URL TO CODE:
http://www.twey.co.uk/?q=encpass

[ddadmin]

For a JavaScript based encrypted password script, I think you've pushed the limits with this one. I'm most lilkely not going to include on DD though, since each time I post a JS password script, infinite questions pour in and "how do to this" and "how to do that", when in reality, I think the best solution is just to go with a server side solution, the most important reason being sake of security of course.

[Twey]

Are you going to take down Rob Heslop's original script too?

Obviously the best solution is server-side, but some people don't have scripting support on the server.

For a JavaScript based encrypted password script, I think you've pushed the limits with this one.

Oh, no I haven't I've got plans to add AJAX capabilities to it at some point, removing the necessity to include the password in the script at all.

[ddadmin]

Are you going to take down Rob Heslop's original script too?

I've considered it, though I really try to not remove existing scripts due to the disruption it can cause with pages on the web that link to them.

The single most common question I get with JS based password scripts is "What if the user knows the name of the protected page (ie: Good.txt) and just starts posting it/handing it out to others?" Then I have to get into the whole expanation of how JavaScript really can't password protect a page, just hide its location. Some people, not knowing its shortcomings, will use this script in a more mission critical manner.

[Twey]

Yes, but equally a password for a server-side script could be handed around.

The key thing to remember with scripts of this sort is that they are in fact the frontend to a server-side solution -- hiding/obscuring the location of the page is a form of server-side protection, and so just as secure as a lot of the server-side solutions one sees (although obviously inferior to something like sessions).