safer_login_sc1.jpg

This module encrypts the user's password when they type it in during login, so a 3rd party up to no good can't see the user's plain text password (as is currently the case with Drupal logins).

Encryption is accomplished by replacing what the user enters for their password with a uniquely-salted MD5 hash of the MD5 hash of what they typed (so it is 2-layers deep). If the user does not have JavaScript enabled, then the default Drupal behavior (no hashing) still works.

Of course, this is no substitute for an SSL certificate on your server, as that would protect all form submissions, as well as prevent other types of attacks. This module is intended for those who desire password security, but either cannot afford a certificate, or only need basic protection from hackers during login.

Drupal 7 Users: This module cannot be ported to D7 as is, so I created a module for D7 which can accomplish the same goal: http://drupal.org/project/encrypt_submissions

For more detailed information on how Safer Login works, please see the Safer Login handbook page.

Requires the jQuery MD5 plugin, available here:
http://plugins.jquery.com/files/jquery.md5.js.txt
or here: http://www.richardpeacock.com/dev/files/jquery.md5.js.txt
See the directions below for instructions on how to install this plugin correctly.

Features

  • Keeps 3rd parties from intercepting plain-text password of users logging into your site.
  • Passwords are encrypted before submitting to your site via JavaScript. If the visitor has JavaScript disabled, then logins revert to normal functionality.
  • Encryption is done with a unique token as the salt, which changes with each login attempt. So a 3rd party cannot use a replay attack to gain access.
  • Has a "minimal protection" mode, where passwords are still double-hashed, but not with a unique salt. The result is that password managers like lastpass.com can work with it, though it is obviously less secure (but still more secure than default Drupal behavior).
  • If enabled, visitors may opt-out of using this module (by unchecking a checkbox), and just use the default Drupal method of logging in.

Basic Directions

  • Unpack this module's files into /modules/safer_login
  • Download the jquery MD5 plugin and copy it to /modules/safer_login/jquery_md5/ and rename the file to just "jquery.md5.js"
  • Enable the module and visit example.com/admin/settings/safer-login for configuration options

Libraries API

This module also supports the Libraries API module. For complete instructions on using Safer Login with Libraries API, please see the Safer Login Handbook page.

Test to Make Sure the Safer Login is Installed Correctly

If you would like to confirm that the module is working, go to all of your login forms (both at /user and the login block, if enabled). Type just "123" or "abc" for the password. Then, submit the form. You should see the password text expand to around 40 characters right before the page reloads. This is a sign that the module is correctly replacing the password field with an encrypted string before submitting.

Project Information

Downloads