SitePoint Sponsor

User Tag List

Results 1 to 13 of 13
  1. #1
    E-business guru Eirik's Avatar
    Join Date
    Nov 2000
    Location
    Oslo, Norway
    Posts
    413
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Storing and handling passwords safely

    Hi,

    Up until now I've been storing username and password pairs in plain text in a table called "user" for instance. However, I'm guessing that there is a safer way to do this. When dealing with username and password pairs - should the password be encrypted in some way? And is there some safe way to check a valid user and then keep the validation answer to avoid checking the user each and every time a task is performed (again, I'm guessing there is).

    Thanks for any insight !
    Sincerely,

    Eirik Johansen
    Netmaking AS

  2. #2
    Mlle. Ledoyen silver trophy seanf's Avatar
    Join Date
    Jan 2001
    Location
    UK
    Posts
    7,168
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Use md5() to encrypt the passwords. When you compare your stored password against one entered by a user md5() it first then compare the two

    http://www.php.net/manual/en/function.md5.php

    Sean
    Harry Potter

    -- You lived inside my world so softly
    -- Protected only by the kindness of your nature

  3. #3
    SitePoint Wizard Defender1's Avatar
    Join Date
    Apr 2001
    Location
    My Computer
    Posts
    2,808
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Heh, this is used in one of the older versions of phpBB:
    PHP Code:
       // Don't ask...
       
    $key md5(md5(md5($newpw_enc))); 
    Defender's Designs
    I'm Getting Married!

    Not-so-patiently awaiting Harry Potter Book 7 *sigh*

  4. #4
    Mlle. Ledoyen silver trophy seanf's Avatar
    Join Date
    Jan 2001
    Location
    UK
    Posts
    7,168
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Now that's security!

    Sean
    Harry Potter

    -- You lived inside my world so softly
    -- Protected only by the kindness of your nature

  5. #5
    SitePoint Wizard Defender1's Avatar
    Join Date
    Apr 2001
    Location
    My Computer
    Posts
    2,808
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I laughed when i saw that code and the comment in the code.
    Defender's Designs
    I'm Getting Married!

    Not-so-patiently awaiting Harry Potter Book 7 *sigh*

  6. #6
    Database Jedi MattR's Avatar
    Join Date
    Jan 2001
    Location
    buried in the database shell (Washington, DC)
    Posts
    1,107
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    There's no need to triply-hash the password. Provides no real extra security.

    What you *should* do is something like this:
    PHP Code:
    <?PHP
      $password 
    'bobrossistheman';
      
    $secret   MD5'bsdlkfjlksdjflksadjflsjf' );

      
    $real_password MD5MD5$password ) . $secret );

      
    INSERT INTO user VALUES( ...., $real_password, ... );
    ?>
    That way even if a user figures out what item hashes to the value they won't be able to log in.

    Of course, someone brute-forcing a MD5 hash would take a very, very long time and it is very doubtful that your application will be around in a thousand years.

    The only thing multiple MD5 or $secret (called 'salting' a hash) does is make sure that if someone knows a certain combination adds up to a hash they still can't log in if they find the hash (for instance I know what my password looks like hashed. If I saw it on someone else's computer I'd know what went in there).

  7. #7
    SitePoint Wizard Defender1's Avatar
    Join Date
    Apr 2001
    Location
    My Computer
    Posts
    2,808
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    it's actually used as an id in a link to validate a new password that's created if you forget your own.
    Defender's Designs
    I'm Getting Married!

    Not-so-patiently awaiting Harry Potter Book 7 *sigh*

  8. #8
    E-business guru Eirik's Avatar
    Join Date
    Nov 2000
    Location
    Oslo, Norway
    Posts
    413
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for the info, guys. However, with new knowledge comes new questions.

    I'm assuming that there's no way to reverse the md5() process(...?) Because if there were, anyone could just un-md5() the password, and the password-encryption would be no encryption at all.

    However, is the algoritm of this function so secret that noone knows how it works? Or is really the following code acceptable for encrypting passwords? And if not, what is (without going overboard with encryption) ?

    PHP Code:
    $PasswordToStoreIntoDatabase md5($inputpassword); 
    Sincerely,

    Eirik Johansen
    Netmaking AS

  9. #9
    SitePoint Enthusiast spoorw8er's Avatar
    Join Date
    Oct 2001
    Posts
    56
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    There is no practical way to reverse an md5 hash.
    People can try a brute-force attack, just trying combination after combination, but that would take a mighty long time

    So the line of code you proposed is pretty ok.
    For some extra security you might do something like
    PHP Code:
    $my_secret "some string you think up yourself and don't tell anyone";

    $password_to_store md5($password_input $my_secret);

    or 
    even

    $password_to_store 
    md5($password_input md5($my_secret)); 

  10. #10
    E-business guru Eirik's Avatar
    Join Date
    Nov 2000
    Location
    Oslo, Norway
    Posts
    413
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks! Off to implement...
    Sincerely,

    Eirik Johansen
    Netmaking AS

  11. #11
    E-business guru Eirik's Avatar
    Join Date
    Nov 2000
    Location
    Oslo, Norway
    Posts
    413
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Another thing struck me as I was in the middle of editing my scripts. What about those poor saps who loost their passwords. I have implemented a feature in one of my scripts that sends them their password by Email if their request it. Now, however, there's no way to give them their original password, now is there?

    I can't be the only person who wants both security and comfort for my users, so how can this be handled?

    Thanks in advance !
    Sincerely,

    Eirik Johansen
    Netmaking AS

  12. #12
    Database Jedi MattR's Avatar
    Join Date
    Jan 2001
    Location
    buried in the database shell (Washington, DC)
    Posts
    1,107
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally posted by Eirik
    [B]Now, however, there's no way to give them their original password, now is there?
    B]
    Correct, there is no way. You must modify your script so that it will generate a new password and e-mail that to the user.

    Something in the range of 6 to 10 characters with a combo of upper and lower case letters and numbers.

  13. #13
    E-business guru Eirik's Avatar
    Join Date
    Nov 2000
    Location
    Oslo, Norway
    Posts
    413
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for clearing that up. Scripts are now modified, and everything seems to have gone OK.
    Sincerely,

    Eirik Johansen
    Netmaking AS


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •