pajamas began as an attempt to create a more secure login using client-side hashing, which is one-way encryption, and as a demonstration, mainly for other web-coders, to two enormous security holes in all-too-common existence..
The second hole is more obvious, and that is the plain text password travelling freely across the wires. This one has received more worldwide attention, but it's still ignored in most php web applications. There are literally hundreds of articles out there describing how to store a user's password using all manner of weird and wonderful algorithms, to protect it from "unauthorised database access", or "unauthorised server access", and yet still expecting the password to arrive in plain text. GUYS!
If your database isn't secure you are in trouble. Same for your filesystem. These are places over which you have control. The place where you certainly don't have control, ever, is the internet. And the moment that packet of data leaves the user's presumably safe environment it's fair game. Its contents could be stored on any one of the many nodes between server and client, dubious proxy "servers" could scan it, on poorly configured servers (most) passwords will show up on other server's referrer logs, etc. There it is, your plain-text password, travelling around the internet in a bundle of other useful plain text information, like the URL of the so-called secure login page, probably your username. No! This is insane!
pajamas takes an entirely different approach. The password is securely hashed before being sent over the wires. Now, not only is interception no longer a problem (it's impossible to retrieve the password from the hash in the given time-frame, even a very much longer time-frame), but public browsers can't save or cache it, either*, being a one-shot mish-mash of your password and some random generated string. Each time you login, it's completely different.
With pajamas, the only places the password ever exists in the clear are in your presumably secure server environment, and the presumably secure user's brain. This password is only protecting access to this server's content; ergo, breaching the web server breaches the user's "protected" data, anyway. To my reckoning, it would be considerably more difficult to compromise a modern web server and get root, than it is to search some log for the phrase "password".
Which strategy is best? You decide.
You can enjoy my wee "protected" image gallery, and try-out pajamas at the same time, here.
If you'd like to ask questions, give feedback, enlighten me, etc, you can do that at the bottom.
There is also a sha1 pajamas plug-in called "shaggie", which is currently available only inside my other packages (e.g. the distro machine), feel free to download and play around with it; get back to me if you find any issues, thanks.
Here's the current pajamas code..
(of course, most of the good stuff is inside the modules!)
At least, this is the expected behaviour - currently, as far as I know, Opera saves the *typed* password, rather than the *sent* password, effectively defeating all forms of client-side password hashing strategy, dudes! - I've figured out a way around this, by the way, which will hopefully hit the code stage for my upcoming "shaggie" pajamas module. Take it easy!