Java authentication security!

[Owmen]

Hi, lately its seams that im posting here very offen!


This time is, on this code:

<script>
document.write(unescape("<SCRIPT LANGUAGE="JavaScript">
function Login(){
var done=0;
var username=document.login.username.value;
username=username.toLowerCase();
var password=document.login.password.value;
password=password.toLowerCase();
if (username=="test" && password=="test") { window.open('http://www...., 'test', 'console=0,menubar=0,toolbar=0,location=0,directories=0,status=0,scrollbars=0,width=630,height=650'); done=1; }
if (done==0) { window.open('http://www....', 'test', 'console=0,menubar=0,toolbar=0,location=0,directories=0,status=0,scrollbars=0,width=630,height=650'); }
}
</SCRIPT>


<center>
<form name=login>
<table width=225 border=0 cellpadding=0>
<tr><td>Username:</td><td><input type=text name=username></td></tr>
<tr><td>Password:</td><td><input type=text name=password></td></tr>
<tr><td colspan=3 align=center><input type=button value="Teste" onClick="Login()"></td></tr>
</table>
</form>
</center>


In the Login Password, i whant the pass to appear like ******* when the user types its password, instead of the "password" it self.

I dont whant a new code, just...modify this one to do that, but maitaining the same functions of it at the same time.

Can that be done?


Thanx

[Owmen]

Hi, lately its seams that im posting here very offen!


This time is, on this code:

<script>
document.write(unescape("<SCRIPT LANGUAGE="JavaScript">
function Login(){
var done=0;
var username=document.login.username.value;
username=username.toLowerCase();
var password=document.login.password.value;
password=password.toLowerCase();
if (username=="test" && password=="test") { window.open('http://www...., 'test', 'console=0,menubar=0,toolbar=0,location=0,directories=0,status=0,scrollbars=0,width=630,height=650'); done=1; }
if (done==0) { window.open('http://www....', 'test', 'console=0,menubar=0,toolbar=0,location=0,directories=0,status=0,scrollbars=0,width=630,height=650'); }
}
</SCRIPT>


<center>
<form name=login>
<table width=225 border=0 cellpadding=0>
<tr><td>Username:</td><td><input type=text name=username></td></tr>
<tr><td>Password:</td><td><input type=text name=password></td></tr>
<tr><td colspan=3 align=center><input type=button value="Teste" onClick="Login()"></td></tr>
</table>
</form>
</center>


In the Login Password, i whant the pass to appear like ******* when the user types its password, instead of the "password" it self.

I dont whant a new code, just...modify this one to do that, but maitaining the same functions of it at the same time.

Can that be done?


Thanx

[SwordFish_13]

hi


here.

that was simple .

input type=password

Code:

<script>
document.write(unescape("<SCRIPT LANGUAGE="JavaScript">
function Login(){
var done=0;
var username=document.login.username.value;
username=username.toLowerCase();
var password=document.login.password.value;
password=password.toLowerCase();
if (username=="test" && password=="test") { window.open('http://www...., 'test', 'console=0,menubar=0,toolbar=0,location=0,director
ies=0,status=0,scrollbars=0,width=630,height=650')
; done=1; }
if (done==0) { window.open('http://www....', 'test', 'console=0,menubar=0,toolbar=0,location=0,director
ies=0,status=0,scrollbars=0,width=630,height=650')
; }
}
</SCRIPT>


<center>
<form name=login>
<table width=225 border=0 cellpadding=0>
<tr><td>Username:</td><td><input type=text name=username></td></tr>
<tr><td>Password:</td><td><input type=password name=password></td></tr>
<tr><td colspan=3 align=center><input type=button value="Teste" onClick="Login()"></td></tr>
</table>
</form>
</center>

[SwordFish_13]

hi


here.

that was simple .

input type=password

Code:

<script>
document.write(unescape("<SCRIPT LANGUAGE="JavaScript">
function Login(){
var done=0;
var username=document.login.username.value;
username=username.toLowerCase();
var password=document.login.password.value;
password=password.toLowerCase();
if (username=="test" && password=="test") { window.open('http://www...., 'test', 'console=0,menubar=0,toolbar=0,location=0,director
ies=0,status=0,scrollbars=0,width=630,height=650')
; done=1; }
if (done==0) { window.open('http://www....', 'test', 'console=0,menubar=0,toolbar=0,location=0,director
ies=0,status=0,scrollbars=0,width=630,height=650')
; }
}
</SCRIPT>


<center>
<form name=login>
<table width=225 border=0 cellpadding=0>
<tr><td>Username:</td><td><input type=text name=username></td></tr>
<tr><td>Password:</td><td><input type=password name=password></td></tr>
<tr><td colspan=3 align=center><input type=button value="Teste" onClick="Login()"></td></tr>
</table>
</form>
</center>

[Owmen]

Thanx alot []´s

[Owmen]

Thanx alot []´s

[embro1001]

Not to nitpick, but that is Javascript...not Java...

[Soda_Popinsky]

fyi...

Anyone can view your source and your password and the page it leads to with javascript. Highly insecure, security by obscurity if you ask me. But it does repel the dummys.

[The Duck]

Soda_Popinsky is absolutly right. If I were at your website, and provided I know a little javascript, all I would have to do is view the source and...what do ya know.... Now I know what the valid username and password is!

Username: test
Password: test

I suppose you could take care of right clicking and sometimes putting the website in frames will take care of the "view" +"view source" in IE, but there are ways around that.

[Tim_axe]

Well, the most effective way is to do absolutely no checks at all, and derive a URL from the input, and add .HTML to the end. And load that. If the wrong password is put in, they get a 404. There is no way for them to know the correct page if it is random. Who would visit "ttseestt.html" or something? That is just taking the username "Test", reversing it, and adding the password "test" into it character by character, 1:1.

Example:
Username: Bob
Password: Doe
URL: ddoobe.html

Anyways, that would be my solution to this problem. Of course the moment anyone knows the secret page, they could book mark it, or add it to their web page's links, and Google would index it and Cache it, and the protection would have been useless if I could google it...

Well, hope it works out. There are many ways to make it a pain, even with client-side code. And as it currently is, I would have no problem breaking it, although a properly implemented one-way encryption algorithm could make it a pain in the butt.

-Tim_axe