Securing password authentication without SSL

I know it's a bad idea but I need to do this. I'm about 8 weeks away from getting a new server where I can have a working SSL'd application. So for the next 8 weeks I need to make it hard for someone to eavesdrop my app.

One idea I had was, as the user entered their email address and password and clicks login, I write to the database a very unique and random password (maybe timestamp + ipaddress) to a column 'latestAttempt', next to their login details. When the request reaches the login script page, it checks to see if that IP address has tried to make a login in the last 1 minute. This should at least prove that the login details came from the login page.

I know I can't stop it but I would like to make it difficult. Are there any other methods out there that could temporarily put off eavesdroppers, while I wait for my new server with SSL?

UPDATE

I understand why this proposal wouldn't work, I'm not sure why it even came to my head to be honest, it's a load of rubbish!

Answers


Your proposed solution won't help. The purpose of SSL is to prevent eavesdropping on the password as it is sent over the wire from the browser to your server, and no amount of timestamps/checking repeat logins will help stop that.

In the absense of SSL, there's not much you can do that is really secure, in the truest sense of the word. What might help in at least a small way is to use javascript to scramble the password before posting it to your server. Even better if you can find a javascript library that implements a real encryption algorithm, preferrably using public/private keys since the the encryption method will be public.


Need Your Help

Animating Height of Parent Hides Select Options

jquery select animation height parent

When I focus on a select box I want the hidden tooltip to appear. When I click on the select box the animation starts but the option list is hidden. How I get round this?

GSN virtual sensor wrapper for a REST service

rest sensor middleware distributed-system iot

I'm trying to write a GSN wrapper for a REST service, which returns the following output when called from a browser:

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.