A user can use a client to access Internet data, which is hosted by a server, using a secure or an insecure network connection. For example, the user may wish to reserve an airline flight using the Internet and may access the web page of an airline to search for a flight and to purchase a ticket. The user may submit a user name and password via the web page to the server to login for access to the airline's data. A web page that uses the hypertext transfer protocol (HTTP) passes data to the server as plain text. The connection between the client and the server may be an insecure HTTP connection, meaning that there is a possibility that the user name and password can be intercepted by an attacker as it is passed to the server. On the other hand, a data provider may implement a secure HTTP connection, which is an encrypted connection between a client and the server. Typically, an encrypted HTTP connection is based on a form of certificate system. Encrypted HTTP connections, such as HTTPS connections, are well known in the art and are used for systems, such as online banking, etc. Encrypted HTTP connections, however, are more expensive to implement and can add additional operating costs. In addition, secure HTTP connections are still subject to a ‘man in the middle’ attack if not implemented and administered properly.
As an alternative to the high costs of implementing a secure HTTP connection, some web pages include Javascript on the client-side to perform a one-way hash function on a password. When a client performs a one-way hash function on a password, the client generates a hash value (also known as a ‘hash’). A server can store a hash value for the password and can receive a hash value from a client. The server can authenticate the password if the hash values are the same. Although hashed passwords can be cryptographically strong, they are still susceptible to attacks. For example, short passwords or weak passwords can be subject to dictionary or brute force attacks. Moreover, even if the password cannot be reversed by an attacker, the attacker can easily eavesdrop on an insecure HTTP connection and intercept a hash value and impersonate a user by reusing the hash value to login to a server.