Private registration example (in authenticated environment) Type in a username, adminpass (simplebart) and a password, and see the encryption being performed. The new users password is first validated, then md5'ed, then split in four 8-char parts. The four parts is replaced into the javascript-generated 256 char hash bigstr_b (which itself is printed into the form by javascript, inside the hidden field which is its container). The hash is then 3DES-encrypted, using the first 24 chars of the key, constructed from the double md5-value of the adminpass, md5'ed again with the admins seed for uniqueness. Finally, a hex-string of the 3DES-binary is printed into a hidden field and submitted together with the username for the new user. All other values are cleared pre-submit! The only values to leave the client are username for the new user, the 3DES-hex and the admins cookie-data! Some fields in this form are normally hidden, but displayed as text here for illustration purposes. There are also some additional hidden fields in this example to help to the illustration. In the REAL form, the only values submitted are the username and the opaque hash!

Text fields:  Validate admin password (validates against simplebart) Username: Admin password (use simplebart if validated): User password: User password again: Hidden fields: $mip (md5'd client ip): $magent (md5'd user agent): $mseed (From cookie - not in this example): Administrator (From cookie - not in this example): Kembo_check (The admin's cookie auth hash - not in this example): Bigstr_b (The 256 char javasrcipt-generated hash for tampering - this form field and its value is also printed to page with javascript, try view source): Tampered (The opaque hash for 3DES-encryption - the obfuscated password-bits are NOT underlined in the real submit ;-): Hex (The hex-version of the 3DES-binary. This is the opaque submit hash.):   Refresh (use ctrl f5 in Opera)