SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    SitePoint Member
    Join Date
    Jul 2009
    Posts
    18
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Secure Password Storage in Cookies

    Hello everyone. I've built a password protection method descriped below. I'm primarily looking for methods to break it, but any input of any kind would be appreciated.

    $Key is an array of 33 entries stores in a Users table; each user has a unique key. Each value represents the length of a scrambled insertion placed in between each character of a MD5 password. Each placement is a minimum of 1 and a maximum of 15 characters. Every letter of the alphabet and 0-9 must be present in the total scrambled password to prevent intruders from excluding possible characters by comparing multiple cookies.

    The $Key is changed upon each manual login; manual logins are time stamped and mandatory every two weeks. Mandatory login is required if system detects possible compromise, even if correct cookie is presented later (e.g. cookie detected; UID and key found, but incorrect password).

    The following represents the data stored in a cookie. S represents scrambled; C represents a password character. Additionally, the final value is encrypted.
    Encrypt($KeyID . . . $UID . . . $S1 . $C1 . $S2 . $C2 . $S3 . $C3 . $S4 . $C4 . $S5 . $C5 . $S6 . $C6 . $S7 . $C7 . $S8 . $C8 . $S9 . $C9 . $S10 . $C10...till $S33) and built/extracted with a loop of course.

    The only possibility I could see is, after breaking the encryption, evaluating segments of 10 characters through hundreds of unique cookies and looking for consistencies. Since this would require an extreme amount of computing, I consider it not threatening. Maybe I should though?

  2. #2
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,227
    Mentioned
    194 Post(s)
    Tagged
    2 Thread(s)
    If you can put it together, someone else can take it apart.
    Probably depends more on whether or not it's worth taking the time to break it. Although some might do it for the fun of the challange.

  3. #3
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,649
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Don't build your own encryption scheme, there are plenty of good options out there. You should be able to do something like 3DES and then dump that to a base64 encoded string and put that in the cookie. Secret will stay safe on your own server.

    You also need to think about man in the middle attacks and such here-like attaching some IP/computer info to the encoded data to verify it is from the same machine that created it.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •