I need to hash a password in java script.i google it for days and find some articles but i could not understand the point.
can any one help me up on this please??
Javascript doesn't have a native function to hash strings.
http://pajhome.org.uk/crypt/md5/md5.html is a function someone has written to produce an md5.
Copy the code from here http://pajhome.org.uk/crypt/md5/md5.html into your javascript, then run hex_md5(s) where s is the text you want hashed.
You can use remakes of PHP's md5() and sha1() functions in javascript.
sha1 - http://phpjs.org/functions/sha1:512
md5 - http://phpjs.org/functions/md5:469
In my opinion, the safest way to do this is to send the password using ajax to a php or aspx-script and hashing it there. People will always, always be able to read your js-code, hence, they can crack the hashing algorithm, or simply mimic it.
Related
NO. THAT SUGGESTION DOES NOT ANSWER THIS AT ALL. SEE CORRECT ANSWER BELOW.
I am building an application whereby I want a user to enter a password into a browser, which is sent via my server to another device running Python. The password then needs to be validated by the device running Python.
The problem is, I dont want my server handling passwords in any way. So I figured I could hash the password in the browser before it is sent, have the server pass on the hash to the device, then check the hash is equivalent on the Python side.
Python has a built-in library for this purpose, but it seems javascript does not. I thought I could leverage a public javascript library, but when I compare the results from the javascript SHA256 algorithm here to what the SHA256 function in Python produces it is not the same string of characters.
Is there a cross code hash function (or any other solution) I can use?
An Update
In response to a "gee whiz, this question is the same as all these ones" let me clarify. This is not about a strategy for storing passwords or finding a 'trustworthy' library (like the post suggested). There is NOT any discussion about cross code compatibility of SHA2 on this site. I could not even find a discussion that pointed out that different SHA2 implementations SHOULD produce the same result. I did plenty of research. In fact it was the various discussions about different javascript "implementations" of SHA2 that confused me. I actually tested a scenario myself, which further confused me as the website picked up a carriage return and produced a different hash. (see below)
This is about having a function in TWO languages that produces the same output...on different devices. I think it is actually an unusual application of hashing, as generally the same code layer is used to hash, store and compare hashed values.
In the rush to down-vote the question and establish mental superiority it seems to me the question was not read properly and incorrect assumptions were made. Hopefully contributors to this site will in future take a more considered and helpful approach like the successful answer.
The link for the javascript library I provided produced the following hash for the text 'MyPassword'
5e618e009fe35ea092150ad1f2c24e3181b4cf6693dc7bbd9a09ea9c8144720d
If I use the sha256 function from Python I get the result below, which seems to indicate to me that not all SHA256 functions are equal and produce the same result.
All proper implementations of SHA256 (or any hash/encryption) produce the same result if supplied with the same data. Your problem is solved by properly processing the data that you supply to the javascript library. The "5e61..." hash is a result of additional newline appended to the end of the "MyPassword" string, look:
In [1]: import hashlib
In [2]: hashlib.sha256(b'MyPassword').hexdigest()
Out[2]: 'dc1e7c03e162397b355b6f1c895dfdf3790d98c10b920c55e91272b8eecada2a'
In [3]: hashlib.sha256(b'MyPassword\n').hexdigest()
Out[3]: '5e618e009fe35ea092150ad1f2c24e3181b4cf6693dc7bbd9a09ea9c8144720d'
For the future, popular implementations of hashes and cryptographic algorithms are thoroughly tested, and if the answer seems wrong - it's probably because your data is wrong.
I need a common hashing method both in php and javascript, something like MD5 or if not MD5 then something to use salt, but to generate same result from php and javascript.
What I wanted to do is, I have a series of questions that I will ask user and users has to answer them, but to make it fast and avoid delay to check the user answers from server, I also want to load the answers with questions and match them in javascript as users answer them. Now I need to bring the answers hashed from php server, and when I am matching them with users answers, I would hash the user answer and match it with the hashed answer from server.
Is it possible?
This is little more than obfuscation what you are doing. Presumably you want to prevent the users from cheating. Doing so and relying on client side code won't work securely.
When the client browser receives the answer hashes and the corresponding salts, the user can simply brute force the correct answers. The number of possible answers is so small that the user can try every possible answer with the received salt and find the matching answer by comparing the hashes.
Since this is nothing more than obfuscation, why make it complicated? Simply encode your correct answers with Base 64 or something like that. This will prevent most users from cheating. If you actually want to make sure that no user can cheat, you need to send the selected answers to the server.
If you actually want to go ahead with your plan, the fastest MD5 hasher for JavaScript right now is SparkMD5, not that you need the speed for your use case. CryptoJS also implements MD5 and PHP has the md5() function. All those implementations are compatible. You just have to make sure that you use the same encoding (Character encoding and Hex/Base64).
A construction with a salt may be md5(answer || salt) where || denotes concatenation. This is not really save, but it doesn't matter in your case anyway.
I'm working in a system where there is no document and no jQuery, but
I do have to present html entities in an understandable way. So the trick of putting the string in an element and then taking the .text() won't work.
I need a pure JavaScript solution. The system isn't reachable from the outside, there is no user-input so security is not really an issue.
Thanks for any help, I'm out of ideas (not that I had to many to begin with)...
Perhaps I should clarify, what I am looking for is a function (or pointers to get me pointing in the right direction) which is able to translate a string with substrings that should translate to characters. So it should be able to translate "blah < blahblah" into "blah < blahblah".
There are no additional frameworks I can use other than pure javascript.
UPDATE:
I've got the html4 part working, not extremely difficult, but I have been busy with other things. Here's the fiddle:html4 entities to characters.
You could have done the same with a dictionary with just the characters already in there, but I didn't feel like making such a dictionary. The function is fairly simple but I guess it could do with some refactoring, can't really be bothered at the moment...
This function exists in PHP (htmlspecialchars_decode). As such, you'll find a javascript port from PHPJS. This is based on a very established codebase, and should be better than rolling something on your own.
Edit / Add:
Flub on my part. I didn't read the entities part properly. You want the equiv of html_entity_decode:
http://phpjs.org/functions/html_entity_decode/
Assuming you are using nodejs, cheerio is exactly what you need. I have used it myself a couple of times with great success for off-browser testing of HTML structures returned from servers.
https://github.com/cheeriojs/cheerio
The most awesome part is that it uses jQuery API.
This question already has answers here:
How to compress/decompress a long query string in PHP?
(9 answers)
Closed 8 years ago.
I current have a URL like this
http://blahblah.com/process.php?q=[HUGEEEEEEEEEEEEEEEEEEEEEEEE STRING of 5000 chars]
My goal is to convert this something like
http://blahblah.com/process.php?q=[less charcters]
The first question:
How do I perform a function (encryption function for instance) on my GET variables before it is sent to the action page?
I've seen many questions asked with a similar topic.
The second question:
Assuming, I can do the above by some means (maybe by jQuery/JavaScript or something). How do I compress in the index.php page and decompress in the process.php page?
My attempt:
Searching for functions with fixed lengths:
I've looked at some encryptions that maintain the string size for ex. md5() gives a standard length that is short and tidy even for an extremely huge string. But unfortunately md5 cannot be decoded easily. Is there any other such function that I decode and which has a fixed length? If so, I could use that assuming I know a way to do Step 1.
EDIT: I write a request not to mark as a duplicate of that question and a question which hasn't been answered have specifically been asked again.. Please read #Jeremy 's comments, he was following this post.
I personally think it is best to use POST to send the data to the page. I am pretty much sure you can not use anything like MD5 to 'compress' the data because what MD5 does is hash the data, so it will look at your data run an algorithm to create this fixed length hash.
However, there is an extremely small possibility that two data sets will create the same hash, therefore it seems to me impossible to reliably decrypt MD5 or other similar hashes. Check out this page for more on hash collisions.
Your problem is that you are using the internet the wrong way. The URL is limited (and it depends on the browser), so don't event to try to use long URLs - even when you want to shorten it.
Please keep in mind, that we are using the WordWideWeb for a long time and if you come into a deadend you just have to rethink your problem. Maybe you are using your current technology the wrong way.
So, use POST instead to transfer your data (as others mentioned before).
If you want to "compress" your data you should use a zip like thing and then you must make that URL confirm like BASE64 afterwards. This is not suitable in any way and completly hideous. (And of course it can not guarantee the length of your URL).
MD5 is a hash not a compression thing. MD5 is not reversable. Once you hash something you can not go back again. This is not a magical way to compress tons of megabytes into a single short number. This is to have a short thing that can tell if the original data was modified (if you do that twice).
See http://en.wikipedia.org/wiki/Hash_function
See http://en.wikipedia.org/wiki/MD5
BTW: It is the same as How to compress/decompress a long query string in PHP?
Is there any way to do this? Or limit execution time of eval()(e.g. not more then 1 scecond)
You could try one of the minifiers, such as UglifyJS. They all include a parser which might be fairly easy to extract (UglifyJS contains a file called "parse-js.js", although I haven't looked at it in detail).