Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.The Safer Login module encrypts a user's password during login, so their clear-text password is never sent to the server, as is the default case with Drupal. This way, even if a 3rd party is eavesdropping on your site visitor's network traffic, they would only see the encrypted version of the password.
Please note that Safer Login is no substitute for an SSL certificate, which will encrypt all form submissions, as well as protect against other types of attacks. This module is intended for those who desire password security, but either cannot afford a certificate, or only need basic protection from hackers during login. If your site is going to contain sensitive user data (like customer data), you should probably purchase an SSL certificate.
How it works
Drupal stores passwords as MD5 hashes in its database. When a user logs in with this module, their password is first converted to an MD5 hash, then hashed again using a unique token as the salt (so the password is double-hashed). Once submitted, this module knows what the token was for the login attempt, and so can recreate the double-hash, to make sure they match. Because a unique token is used per login attempt, a replay attack is impossible. The same password, typed twice, will result in two different hashes.
Safer Login attaches this behavior to the /user login page, as well as the login block, so, in general, it is compatible with other login modules which also use these default forms. If it is found to not be compatible with another module, please open an issue on the Safer Login project page.
Requirements
This module requires JavaScript. If the user does not have JavaScript enabled, no functionality is lost, as Drupal will gracefully and silently fall back to using its default non-encrypted method of logging in.
In order to accomplish the JavaScript MD5 hashing, users must download the jQuery MD5 plugin, available here: http://plugins.jquery.com/files/jquery.md5.js.txt
or here: http://www.richardpeacock.com/dev/files/jquery.md5.js.txt
Installation of jQuery MD5 Plugin
Safer Login requires a 3rd party plugin, jQuery MD5, mentioned above. There are two methods to installing it for use with Safer Login:
The Basic Method
- Unpack this module's files into sites/all/modules/safer_login
- Download the jquery MD5 plugin and copy it to sites/all/modules/safer_login/jquery_md5/ and rename the file to just "jquery.md5.js"
- Enable the module and visit example.com/admin/settings/safer-login for configuration options
Optional Libraries API Method (for more advanced users)
The Libraries API module (http://drupal.org/project/libraries) lets users install 3rd party plugins in a special /libraries/ directory under sites/all. This way, modules which require those libraries do not require re-downloading the plugin when the user upgrades. This method is not required to install Safer Login, but does make upgrading easier in the future.
If using the Libraries API module:
- Install the Safer Login and Libraries API modules in your site's modules directory.
- Download the jQuery MD5 plugin. Rename it to jquery.md5.js. If you compress it, name it either jquery.md5.min.js or jquery.md5.packed.js depending on the compression method you employ.
- Copy the jQuery MD5 plugin to sites/all/libraries/jquery_md5 (or sites/[sitename]/libraries/jquery_md5 if you have a multisite install).
- Your final location should look like:
sites/all/libraries/jquery_md5/jquery.md5.js
To help with installation, Safer Login will report onscreen and under admin/reports/status if the jQuery MD5 plugin cannot be found.
Testing to Make Sure The Module is Working
Safer Login works by replacing what your users type into the password field with a longer, encrypted string before the form actually submits.
If you would like to confirm that the module is working, go to all of your login forms (both at /user and the login block, if enabled). Type just "123" or "abc" for the password. Then, submit the form. You should see the password text expand to around 40 characters right before the page reloads. This is a sign that the module is correctly replacing the password field with an encrypted string before submitting.
If you have JavaScript disabled, then nothing should happen to the password text when you submit the form. It will submit normally, as if the module were not installed.
Drupal 7 Users?
This module cannot be directly ported to D7, so instead a new module was created which can encrypt any form submission, not just logins: http://drupal.org/project/encrypt_submissions
If you are a D7 user, please see that module.
