I added the jscript file and will soon make the suggested changes.
I will also setup a test environment to test my zipped components before publishing
Please read (again)http://www.xisc.com/forum/viewtopic.php?t=63&postdays=0&postorder=asc&start=0
. I talked about possible attacks there.
I will try to explain this again but now from a different perspective why I think we need a salt.
When the user posts his userid and login they are captured on the clientside. The password is hashed. Nothing else. SHA-1(P)
An attacker intercepts all traffic from and to the user and thus knows the userid (plain) and hashed password.
1. The attacker can use the userid and hashed password to login to the site.
2. The attacker can use the same hashed password at a later time at the same site
3. The attacker can use the hashed password at a different site that also uses SHA-1 hashed passwords with no salt.
We hash the password with a random salt SHA-1(P + S)
An attacker intercepts all traffic from and to the user and thus knows the userid (plain) and hashed (password + salt).
1. The attacker can use the userid and hashed (password+salt) to login to the site if he also captures the session.
The attacker CAN NOT use the same hashed password+salt at a later time at the same site.
The attacker CAN NOT use the hashed password+salt at a different site that also uses SHA-1 hashed passwords with no salt.
Did you spot the differences?
What does the salt do:
1. it binds the hash to the session (you need to intercept the session)
2. it binds the response to the request (you need to get both)
3. it makes the hash useless at a later time (new session so new salt)
4. it makes the hash useless on other sites (never the same salt)
You can however still:
1. try to guess the password
2. intercept the session
To prevent password guessing:
1. use larges passwords
A salt or any other thing which is send in plain tekst to the user will prevent an attacker of sniffing let's say salt and userid and thus brute force sha1 with userid + unknown + salt or any other combination.
I'm also not aware of sha1 being susceptable to least or most significant constructions.
OK, I hope this helps clearify the subject.