I wanted to see if it would be possible to create a secure log-in form on a website where TLS/SSL is not available. Of course this is not meant to replace TLS/SSL; there are many reasons why TLS/SSL is far superior. But for simple sites I wanted to see if there was an option which is better than sending credentials in plain-text.
The system I came up with is similar to
HTTP digest authentication and
CRAM-MD5, but offers a few improvements. All it requires on the client-side is a simple JavaScript routine. It also relies on the Crypt-JS library.
So
click here for a live demo, and please try my challenge to crack it!
