I'm thinking of increasing security when transfer login and password from sign in page. I've found a javascript md5 function in the Internet so the first way to send password is to send md5 hash instead of the password using POST method. As I understand there are still many problems with that and that method should be improved. Passwords in the database are not stored, only md5 hash (with some other functions are also used to complicate it a bit) stored. But, my question is: does it all make sense or better to prefer ssl encryption from hosting provider? It costs about $100 per year (let's suppose that a good price regarding my question) instead of reinventing the wheel. The minus of ssl (if I'm not wrong) is: if login part is on the main page, the main page will load slower (although Yahoo! login page with https loads pretty fast) and any user will see https in the browser string (that's not bad, but is it good?)
How is the idea to use (no SSL): 1)wher user logs in, md5(password) is sent instead of his real password 2)server receives md5(password), makes it md5(md5(password)+'kjhgkjhg') and compares with a hash that is stored in the db. db stores md5(md5(password)+'kjhgkjhg') hashes for all users. As result, if md5(password) is sniffed, it will not help to get md5(md5(password)+'kjhgkjhg') because 'kjhgkjhg' is not known. Is it good a good enough way to make the login page secured?
Thank you.
