Please enable JavaScript for a more secure login.
A demo of the modified CHAP login/registration system described by Paul Johnston. This provides a way to authenticate users without transmitting passwords in plaintext, in the event that SSL/HTTPS is not available. It is not intended to replace HTTPS.
In this system, the password is never transmitted in plaintext, either during login or registration. Instead, a response that is based on a random challenge string and the password is sent to the server; this is used to determine if the password was valid, without having to transmit the password itself in plaintext. Each time a user logs in, the challenge strings are updated so that the required response for the next login will be different, preventing sniffing/replay attacks from being effective. Only someone who knows the plaintext password can compute the correct response to the challenge strings each time.
A similar method is used to get the password during registration. Passwords are not stored as plaintext on the server-side either. (Feel free to use a tool like Live HTTP Headers to see exactly what is submitted to make sure no plaintext passwords are submitted.)
This particular demo is also able to `step down` in the case that JavaScript is not enabled/available on the client side. Because JavaScript is needed to compute the challenge-responses essential to the CHAP system, CHAP will not be available if JavaScript is not. However, in this situation, plaintext passwords will be transmitted to the server during authentication. This is obviously less secure, but is a tradeoff between accessibility and security. (Note that most websites you login to use plaintext password transmission, but may already be properly secured via SSL) In your implementation, you can choose whether you want to allow these `insecure` logins.
This system is not without weaknesses; in particular, it leaks information about when a user has logged in and thus can confirm if a user account exists or not. A full discussion of these weaknesses is beyond the scope of this demo (and my knowledge), so I recommend that you read Paul Johnston's tutorial on the CHAP login system, especially the information under the `Alternative System` heading.
Copyright © 2008 Peter Chng.
Distributed under the MIT License. See the included LICENSE.txt file
for more details.
Parts of code, concepts and ideas copyright ©
Paul Johnston.