This project is not covered by Drupal’s security advisory policy.
This module encrypts the user's password when they type it in during login, so a 3rd party up to no good can't see the user's plain text password (as is currently the case with Drupal logins).
Of course, this is no substitute for an SSL certificate on your server, as that would protect all form submissions, as well as prevent other types of attacks. This module is intended for those who desire password security, but either cannot afford a certificate, or only need basic protection from hackers during login.
Drupal 7 Users: This module cannot be ported to D7 as is, so I created a module for D7 which can accomplish the same goal: http://drupal.org/project/encrypt_submissions
For more detailed information on how Safer Login works, please see the Safer Login handbook page.
Requires the jQuery MD5 plugin, available here:
or here: http://www.richardpeacock.com/dev/files/jquery.md5.js.txt
See the directions below for instructions on how to install this plugin correctly.
- Keeps 3rd parties from intercepting plain-text password of users logging into your site.
- Encryption is done with a unique token as the salt, which changes with each login attempt. So a 3rd party cannot use a replay attack to gain access.
- Has a "minimal protection" mode, where passwords are still double-hashed, but not with a unique salt. The result is that password managers like lastpass.com can work with it, though it is obviously less secure (but still more secure than default Drupal behavior).
- If enabled, visitors may opt-out of using this module (by unchecking a checkbox), and just use the default Drupal method of logging in.
- Unpack this module's files into /modules/safer_login
- Download the jquery MD5 plugin and copy it to /modules/safer_login/jquery_md5/ and rename the file to just "jquery.md5.js"
- Enable the module and visit example.com/admin/settings/safer-login for configuration options
Test to Make Sure the Safer Login is Installed Correctly
If you would like to confirm that the module is working, go to all of your login forms (both at /user and the login block, if enabled). Type just "123" or "abc" for the password. Then, submit the form. You should see the password text expand to around 40 characters right before the page reloads. This is a sign that the module is correctly replacing the password field with an encrypted string before submitting.
- Maintenance status: Seeking new maintainer
- Development status: No further development
- Reported installs: 104 sites currently report using this module. View usage statistics.
- Downloads: 3,273
- Last modified: December 2, 2014
- This project is not covered by the security advisory policy.
Use at your own risk! It may have publicly disclosed vulnerabilities.