By muzza on

Hi All,

I have confirmed using a packet sniffer that passwords entered in the Drupal Login page are transmitted unencrypted. Obviously this is a security issue logging in over the Internet. I want to make the login password encrypted (or at least scrambled) but not have to resort to making the whole site use SSL. Anyone have any suggestions or know of any patches to achieve this. We use a Squid proxy if that is of any use to achieve the required result.

Thanks,

Murray

Categories: Drupal 4.6.x

Comments

jadwigo’s picture

jadwigo commented

there are some possibilities, one is to use client side javascript to scramble a password when it is sent, or maybe even using a flash movie or a java applet to login.. all technologies require that you unscramble the login information serverside, which means you need to bypass/modify the default drupal login information and break normal login procedures.

but when you use anything other than https you need 3rd party plugins and break your site for people who don't have access tot the technology you're using.

another drawback is that your site wont be more secure, because the scrambled login can just as easily be sniffed and replayed for unwanted login attempts, if you want security you generally need to go all the way.

jsloan’s picture

jsloan commented

Moodle has a "loginhttps" option that in their words;

"Turning this on will make Moodle use a secure https connection just for the login page (providing a secure login), and then afterwards revert back to the normal http URL for general speed."

I would like to have this ability for Drupal and have just started looking into the possibility.

jim

moshe weitzman’s picture

moshe weitzman commented

this is an easy change in 4.7. noone has writen the module hyet, but it will happen. it is about 3 lines of code to change the action of the login form to an https page.

muzza’s picture

muzza commented

Hi Moshe,

Good to hear it will be in 4.7 but I want to put someting in place in the meantime if possible. If anyone has a temporary fix for this it would be appreciated.

Thanks

Murray

moshe weitzman’s picture

moshe weitzman commented

this isn't likely to get into core. the strategy will be to use hook_form_alter to change the #action of the login form to https://example.com/user/login. use form_id to alter just the right form

varunvnair’s picture

varunvnair commented

This is a stupid question but I will ask it anyways.

I want to use https for the login page of my blog. Since I am the only user who actually logs in I don't mind using a self-generated certificate.

Does my hosting provider have to enable https on my account for this to work? I think the answer is yes but I just want to be sure.

My Drupal-powered Blog: ThoughtfulChaos

Leeteq’s picture

Leeteq commented

Ref. my suggestion and others' concerns in the discussion in this issue:

"challenge-response login":
http://drupal.org/node/13240#comment-325295

.
--
( Evaluating the long-term route for Drupal 7.x via BackdropCMS at https://www.CMX.zone )

darumaki’s picture

darumaki commented

Are Drupal passwords still being sent in clear text ? I wasn't sure if this issue was resolved or not. I would have hoped Drupal is more secure today :)

Quint’s picture

Quint commented

Yeah, it would be nice, but the trouble is that no one seems to care too much about security. Nearly all email is sent clear text, most webmasters use FTP which is clear text, I don't know of a secure login for Wordpress, most vBulletin boards are not encrypted, etc. etc. It's not just Drupal.

I really wish this wasn't the case, but on the bright side, it doesn't seem too common to get highjacked by a sniffer.

darumaki’s picture

darumaki commented

When I think of how high tech the world has become making sophisticated missile systems that can destroy cities while watching you make a sandwich, one would think someone could come up with a way to make the web more secure from alien invaders, we have the technology, we can rebuilt it, make it stronger, faster doh!!, makes me wonder why these kinds of things don't get the attention they deserve,

richardp’s picture

richardp commented

So I know this is a super-old post, and this is shameless self-promotion, but here goes:

If anyone in the Internet finds this and is still looking for a solution to make Drupal not transmit passwords in clear text, you may want to check out my module Safer Login: http://drupal.org/project/safer_login. Passwords are double-hashed with javascript before being sent. If the user doesn't have javascript, then it defaults to the normal method (passwords sent in the clear).

Thanks!
Richard