A Demo of Transmitting Passwords Encrypted

This is a demo of a technique to transmit password encrypted. It's not a perfect solution yet, but it's getting there. It's based on an idea by Slaks at Stackoverflow, at this thread.

Paste this into a file, and execute it through your server.


$a = "foo"; // a salt used to store password in the db
$b = "bar"; // a salt generated for this session

$p = "magic"; // the password

$hashed = md5($p.$a); // this is what's in the db

$key = md5($hashed.$b);

// pretend that we are now at the client
// we've send a and b to the client, but not p (which we don't know)

$p2 = "magic"; // the user enters this password
// change p2 to see how this works

$hashed2 = md5($p2.$a);

$key2 = md5($hashed2.$b);

$data = base64_encode( "username:$p2" ^ $key2 );

// now back at the server

$check = $key ^ base64_decode($data);

echo $check;