Securing Passwords with Javascript and MD5

Recently, I posted about Session Hi-Jacking, which is a tactic for taking over someone’s session on a website without their knowledge. Session Hijacking is one of the unfortunate consequences of not using HTTPS to protect your internet connection full-time. (If you want to know what that is, I wrote about it here too!) The unfortunate truth is that for a large part of our web browsing experience, our data is being transmitted in a format that anyone watching could read. Most times, this is ok… but sometimes it isn’t. For most websites you visit, you will find that your login happens over HTTPS, but the rest of your session does not. That is because a session is temporary, and has no impact once it expires – so most people don’t worry about it because for the longest time you had to have some knowledge of Network Infrastructure and Traffic Sniffing in order to hi-jack a session. The Firefox plugin Firesheep made it as easy as installing a Firefox extension. Big problem, but it’s still only a session.