Publicator Open Scripted Login Opacity - public registration screenshots

Public registration start

A regsess is generated, and used for key-creation for the 3DES encryption/decryption.
Public registration is weaker than Private registration, in a security perspective. The key MUST be sent over the net, as the user is unauthenticated
and we can't use his secret (password) on the server for encryption. We try to amend for this by using time() as a factor in the keys.
We also use an extra step in the registration process: the token.
In addition, we always encrypt the username in the process.

This is the first screen in the public reg:

The username is taken, error-screen with encrypted username
All instances of username in the reg-process is encrypted. Here the search for pepper returns a list of taken names containing the letters pepper, and an error-line with
a "username-taken"-message. Both encrypted using a php-generated key.

Public registration step 2
Giving up pepper, trying wretched instead.
The username is free, and registration continues with providing of a token (any word). The md5-value of this token will be encrypted using another php-generated key,
and written to a file/in the db on the server for use in next screen for encrypting the password.

Public registration step 2 - view source
If you view the source, you can see the key and the hex-version of the 3DES-binary printed into the javascript. The hex is the username in progress of being registered.

Public registration step 3
The token is stored on the server, registration process goes on to next screen where the user must provide the token again, and type in his password.
The token is then used for encrypting the password. THEN THE TOKEN/PASSWORDS IS CLEARED!
The users passwords is verified on this screen by javascript (equality), but we have no way of verifying the token.

Public registration step 3 - view source
The username is printed again (encrypted) to the javascript by php. The js decrypts the value as page loads.

Public registration finished
The user is registered, and relocated to the login script ($login_script - set in config.php).

Los Concludos:
The Private registration is safer because it happens in an authenticated environment where we can use a password for encryption.
The Public registration tries to compensate for this by obfuscating all auth data, but the fact still remains: the keys with which the password is encrypted is possible to sort out.
To crack it, all hashes must be sniffed/collected, because time() is used to encrypt the data on the two first screens.