php quick question

Discussion in 'OT Technology' started by D1G1T4L, May 10, 2006.

  1. D1G1T4L

    D1G1T4L Active Member

    Joined:
    May 4, 2001
    Messages:
    16,489
    Likes Received:
    0
    Location:
    Bay Area
    If you make a login system which contains user names and passwords, do u encrypt the passwords and then store them into db or do you have some other ways of doing it
     
  2. P07r0457

    P07r0457 New Member

    Joined:
    Sep 20, 2004
    Messages:
    28,491
    Likes Received:
    0
    Location:
    Southern Oregon
    encrypted pw. I've used the "encrypt", as well as "md5" sums.
     
  3. CompiledMonkey

    CompiledMonkey New Member

    Joined:
    Oct 26, 2001
    Messages:
    8,528
    Likes Received:
    0
    Location:
    Richmond, VA
    I've always liked using a one way hash and storing that. So when a user goes to login you hash their given password and see if it matches the hash from the database for the given user name.
     
  4. Joe_Cool

    Joe_Cool Never trust a woman or a government. Moderator

    Joined:
    Jun 30, 2003
    Messages:
    299,514
    Likes Received:
    618
    Yes. Use the md5 hash.
     
  5. CyberBullets

    CyberBullets I reach to the sky, and call out your name. If I c

    Joined:
    Nov 13, 2001
    Messages:
    11,865
    Likes Received:
    0
    Location:
    BC, Canada/Stockholm, Sweden
    md5 hash + salting ftw.

    make your salt a random, 8 char string 0-9,a-f
    then hash your password like so:

    $hashedPassword = md5($password.$salt).$salt

    this provides a unique hash, even if the word is the same.

    to check to ensure the password is correct you can do the following:

    parse off the last 8 chars of the stored hash.
    if($storedHash == md5($password.$parsedSalt).$pasedSalt)
    then it's a valid password.

    also, it's harder to tell what type of hash it is when you're using md5 (which outputs 32 chars) and your hash is 40.

    2cents
     
  6. D1G1T4L

    D1G1T4L Active Member

    Joined:
    May 4, 2001
    Messages:
    16,489
    Likes Received:
    0
    Location:
    Bay Area
    yea hashing is what i was thinking about
    not sure what salting is, i'll read about it
     
  7. CyberBullets

    CyberBullets I reach to the sky, and call out your name. If I c

    Joined:
    Nov 13, 2001
    Messages:
    11,865
    Likes Received:
    0
    Location:
    BC, Canada/Stockholm, Sweden
    helps to strength the hash if used for one way encription.
     
  8. D1G1T4L

    D1G1T4L Active Member

    Joined:
    May 4, 2001
    Messages:
    16,489
    Likes Received:
    0
    Location:
    Bay Area
    but hashing is one way
    lets say you want to give an option where a user can recover a password and it gets send to him in a email
    will you have to use a different system then?
     
  9. CyberBullets

    CyberBullets I reach to the sky, and call out your name. If I c

    Joined:
    Nov 13, 2001
    Messages:
    11,865
    Likes Received:
    0
    Location:
    BC, Canada/Stockholm, Sweden
    have it re-generate a password and email it.

    the problem with hashing is collisions, where a duplicate hash is produced from different inputs. A random salt helps to prevent this, and also provides a different has for the same word.

    Eg:
    Code:
    // provided by user
    $password = 'qwerty';
    // randomly generated
    $salt1 = 'abcd';
    // randomly generated
    $salt2 = 'wxyz';
    
    $hash1 = md5($salt1.$password).$salt1;
    $hash2 = md5($salt2.$password).$salt2;
    
    // now since the random salt happened
    // $hash1 != $hash2
    // however the passwords are the same
    
    now unless the passwords get burt forced, there is even less of a chance of a collision to ocure.
     
  10. D1G1T4L

    D1G1T4L Active Member

    Joined:
    May 4, 2001
    Messages:
    16,489
    Likes Received:
    0
    Location:
    Bay Area

    how would you re generate the password if hashing is one way?
     
  11. Joe_Cool

    Joe_Cool Never trust a woman or a government. Moderator

    Joined:
    Jun 30, 2003
    Messages:
    299,514
    Likes Received:
    618
    Generate a new random password with a new hash. Then the user changes his password. Just like on OT.
     
  12. D1G1T4L

    D1G1T4L Active Member

    Joined:
    May 4, 2001
    Messages:
    16,489
    Likes Received:
    0
    Location:
    Bay Area
    yes but what if i want to send him his current/real password, not generate a new one? would i have to use a different decryption/storage method for passwords
     
  13. Joe_Cool

    Joe_Cool Never trust a woman or a government. Moderator

    Joined:
    Jun 30, 2003
    Messages:
    299,514
    Likes Received:
    618
    You don't. Why would you want that? If he forgets his password, you just issue him a new one.

    For the password to be recoverable, it would introduce a whole mess of security issues you don't want to deal with.
     
  14. CyberBullets

    CyberBullets I reach to the sky, and call out your name. If I c

    Joined:
    Nov 13, 2001
    Messages:
    11,865
    Likes Received:
    0
    Location:
    BC, Canada/Stockholm, Sweden
    Forms that re-send you your current password store it as plain text in the database. That isn't good security at all.
     
  15. kingtoad

    kingtoad OT Supporter

    Joined:
    Sep 2, 2003
    Messages:
    55,924
    Likes Received:
    11
    Location:
    Los Angeles
    md5 checksum.
     
  16. CyberBullets

    CyberBullets I reach to the sky, and call out your name. If I c

    Joined:
    Nov 13, 2001
    Messages:
    11,865
    Likes Received:
    0
    Location:
    BC, Canada/Stockholm, Sweden
    By adding an 8 char salt (0-9a-f) to the hash (esp if its md5) changes it up. Now instead of a 32bit md5 hash, it looks like a 40bit sha1 hash ;)

    Yes, security through obscurity :noes:
     
  17. P07r0457

    P07r0457 New Member

    Joined:
    Sep 20, 2004
    Messages:
    28,491
    Likes Received:
    0
    Location:
    Southern Oregon
    go one better and have TWO salts. One for within the md5 function, and another for appending to the end of the MD5 record.

    - OR -

    Have the 8-digit appending salt be random at the time you create the salt, so each record has a different salt. Then simply drop the last eight off of the checksum before comparing md5 sums. :mamoru: That way no one will recognize a pattern with the last 8 when they see mass-data.
     
  18. Conrad10781

    Conrad10781 New Member

    Joined:
    Feb 26, 2005
    Messages:
    45
    Likes Received:
    0
    Location:
    New York
    Don't want to be technical, as I fully agree that md5 is the best way, but if someone does want to send the current password, it doesn't neccessarily mean it was stored plain text in the database, it could have been stored with something like mcrypt/blowfish, and just decrypted on its way out... Though of course, this still leads back to sensitive information is on the server, and somewhere the mcrypt/blowfish key is there as well, and if someone ever got it.... :noes::noes::noes:
     
  19. CyberBullets

    CyberBullets I reach to the sky, and call out your name. If I c

    Joined:
    Nov 13, 2001
    Messages:
    11,865
    Likes Received:
    0
    Location:
    BC, Canada/Stockholm, Sweden
    Werd to the random salts. I should of specified that. 0-9a-f. I have code for that laying around.
     

Share This Page