W dniu 19.02.2020 o 11:01, Adam Mizerski pisze:
W dniu 19.02.2020 o 10:08, David C. Rankin pisze:
On 02/19/2020 01:28 AM, Roger Oberholtzer wrote:
I have a very unusual situation. I am trying to log in to a web site (https://www.zf-laser.com if you are curious) from either Firefox (72.0.2) or Chrome (79.0.3945.130) on Tumbleweed.
I enter the password, but it is not accepted. Both browsers change the password I have entered into a long string that starts with "rsa:". I am guessing this is what they send. And, when Firefox offers to keep the password, I see that it is this same altered string, not the one I entered.
I can log in to other sites (e.g. OBS). But not this one. I have no idea what is happening. Especially since both browsers do the same thing.
Any ideas? A Google search did not seem to me to show anything related to this. Just stuff generally about RSA and passwords in browsers.
What Firefox (and chrome) are doing is just plain-old normal password hashing. You never store the plain password, instead a hash of the password is stored. When you enter a password to login, what you enter is hashed and then compare against the stored hash (prevent somebody making off with your passwords if they steal your passwords file, etc... -- normal cryptographic operation)
The real question is why does this one site not accept what you are typing in while other sites work fine? The initial first thought is that site is broken -- so no matter what browser you use -- it doesn't work. That would seem to me to be the simplest explanation...
Ackchyually... ;)
Browsers send passwords in plaintext and servers do the hashing. That's why sometimes you can read in news that somewhere passwords were saved in plaintext in logs.
I haven't looked at this website, but it seems that it does some custom client-side hashing in javascript, before sending form data.
By the way, are you sure that https://www.zf-laser.com is correct address? I see no login form anywhere there.
(about previous email: first I wrote second paragraph, then went on to look at the site, then wrote the third and forgot to edit the second) So I found the login form (https://www.zf-laser.com/Download.165.0.html?&L=1) and as I predicted, it contains javascript that encrypts password before sending. So this is what happens: - you enter you password - you click "Loging" or press enter - javascript code kicks in, that modifies the password that you have entered - browser sends encrypted password If you want to save your password in browser, you might first save the "rsa:..." thing and then edit it in browser's password manager. If it's not accepted by server it might be because it's just wrong password.