Password Encrypt
Moderator: General Moderators
-
YoussefSiblini
- Forum Contributor
- Posts: 206
- Joined: Thu Jul 21, 2011 1:51 pm
Password Encrypt
Hi,
I am trying to secure the password using md5 before sending it to the database.
But the problem I am getting is:
So the user registers, lets say he enters password as his password, and then that password will encrypt and go to the database, but when that user tries to login using password as the password it will not let him login because the password has been encrypted so I have to give him the encrypted pw from the database.
Is there a way to get over this, or a different way to do it?
Youssef
I am trying to secure the password using md5 before sending it to the database.
But the problem I am getting is:
So the user registers, lets say he enters password as his password, and then that password will encrypt and go to the database, but when that user tries to login using password as the password it will not let him login because the password has been encrypted so I have to give him the encrypted pw from the database.
Is there a way to get over this, or a different way to do it?
Youssef
Re: Password Incrypt
md5 is 1-way algorithm, and hence it can only encrypt strings.
The workflow of securing passwords with md5 is as follows.
Registration Process
The workflow of securing passwords with md5 is as follows.
Registration Process
- The user registers with a password
- The PHP script encrypts the password using md5() and stores it in the database
- When the user wants to login again, he needs to enter his password
- The entered password is sent to the PHP script
- The PHP script then encrypts the password sent from the login form with md5() and checks if it is equal to the md5 encrypted password stored in the database
-
YoussefSiblini
- Forum Contributor
- Posts: 206
- Joined: Thu Jul 21, 2011 1:51 pm
Re: Password Incrypt
Thank you so much, you are a life saver.
- getmizanur
- Forum Commoner
- Posts: 71
- Joined: Sun Sep 06, 2009 12:28 pm
Re: Password Incrypt
your algorithm is pointless, if you do not send user password through ssl connection. linux users can use tcpflow, wireshark, tcpdump and other utilities to snoop on network traffic. using these utilities you can identify user password.
if you are using mysql, use password() function to secure your password.
conclusion
1./ set-up ssl connection (https)
2./ use password() function (mysql)
if you are using mysql, use password() function to secure your password.
conclusion
1./ set-up ssl connection (https)
2./ use password() function (mysql)
-
YoussefSiblini
- Forum Contributor
- Posts: 206
- Joined: Thu Jul 21, 2011 1:51 pm
Re: Password Incrypt
getmizanur thank you,
I am going to use ssl certificate later on would md5 secure it tell ssl ready, or should I use md5 and another stuff like password() function?
I am going to use ssl certificate later on would md5 secure it tell ssl ready, or should I use md5 and another stuff like password() function?
- flying_circus
- Forum Regular
- Posts: 732
- Joined: Wed Mar 05, 2008 10:23 pm
- Location: Sunriver, OR
Re: Password Incrypt
HI,getmizanur wrote:your algorithm is pointless, if you do not send user password through ssl connection. linux users can use tcpflow, wireshark, tcpdump and other utilities to snoop on network traffic. using these utilities you can identify user password.
if you are using mysql, use password() function to secure your password.
conclusion
1./ set-up ssl connection (https)
2./ use password() function (mysql)
You do realize that this site does not use SSL to transmit usernames and passwords, right?
I know of very few people using mysql's password to hash user passwords.
First, do NOT encrypt passwords. Encrypting something implies that it can be decrypted. You want to hash the password, hashing is a 1 way function where you cannot (theoretically) obtain the source.
Second, do NOT use md5 to hash passwords, it is cryptographically unsafe. There is speculation that SHA-1 is no longer safe as well. You should strive to use one of the SHA-2 algorithms. After all, bits are cheap.
Third, at a minimum, you should salt your passwords, preferably you should pepper them as well, and I like to throw the username and id in as ingredients as well. Search for password salting for examples.
-
YoussefSiblini
- Forum Contributor
- Posts: 206
- Joined: Thu Jul 21, 2011 1:51 pm
Re: Password Incrypt
I know you said don't use md5 but I found this online they say it is safe:
what you think?
Youssef
Code: Select all
$password = "banana"
$salt = sha1(md5($password));
$password = md5($password.$salt);Youssef
Re: Password Incrypt
Zend framework has a built-in support for PHP MCrypt functions. You can read there:
http://framework.zend.com/manual/en/zen ... et.encrypt
Or at the PHP manual:
http://php.net/mcrypt
http://framework.zend.com/manual/en/zen ... et.encrypt
Or at the PHP manual:
http://php.net/mcrypt
Re: Password Incrypt
"they" are wrong, md5 is significantly more vulnerable than several better (stronger) hashes. See this page which pretty much sums it up (especially point 1).YoussefSiblini wrote:I know you said don't use md5 but I found this online they say it is safe:
Regarding the SSL issue: keep in mind that hashing the password is happening server-side, so the actual password is still being sent in plaintext to your script unless you use https! I'd recommend to use either SSL, or hash the password client side (i.e. using javascript) and only submit the hash, rather than the password itself. SSL is the preferred alternative though.
- flying_circus
- Forum Regular
- Posts: 732
- Joined: Wed Mar 05, 2008 10:23 pm
- Location: Sunriver, OR
Re: Password Incrypt
Hi Youssef,YoussefSiblini wrote:I know you said don't use md5 but I found this online they say it is safe:
what you think?Code: Select all
$password = "banana" $salt = sha1(md5($password)); $password = md5($password.$salt);
Youssef
I think using the password as the salt is a poor idea, I would use a strong random for salting purposes. I prefer to grab some data from /dev/urandom, but it only exists on *nix based systems.
I also think its just as easy to user a stronger hash algorithm. I think the reason people are so adamant about using md5 is that they simply dont know how easy it is to use a stronger algorithm.
Code: Select all
<?php
$password = hash('sha256', "my_password and salt and other ingredients");
?>- getmizanur
- Forum Commoner
- Posts: 71
- Joined: Sun Sep 06, 2009 12:28 pm
Re: Password Incrypt
Yes, I do however just because this site is not using it that does not mean it is right. think about it, why bother spending money on ssl certificate; gmail, hotmail, oracle java forum and other sites should all just stop using ssl connection cause this site doe not use it. lame excuse.You do realize that this site does not use SSL to transmit usernames and passwords, right?
owner of this site is not using ssl connection either he thinks the data is not sensitive enough to warrent a ssl certificate or he does not want to fork out money for the certificate. yes, he can generate self signed certificate however every browser is going to throw a warning message which may put off users.
mmm...mysql they themselves use password() function in "user" table to hash passwords which include root password. you missed that one.I know of very few people using mysql's password to hash user passwords
To hash a password, it initially needs to be transmitted over http protocol to the server side script which then is hashed with md5/sha-2. during that transport, the data (ie password, username) is available to see by people using www in plain text. if i manage to sniff out your password, it does not matter how much you hash/encrypt the password, your database is going to match the hash/encrypted string and let me pass.
- flying_circus
- Forum Regular
- Posts: 732
- Joined: Wed Mar 05, 2008 10:23 pm
- Location: Sunriver, OR
Re: Password Incrypt
Bingo! This is a design consideration based on risk and exposure.getmizanur wrote:owner of this site is not using ssl connection either he thinks the data is not sensitive enough to warrent a ssl certificate
You stated "your algorithm is pointless, if you do not send user password through ssl connection." and I disagree. There are two seperate security mechanisms at work here, and although they should both be equally strong, it is not pointless to strengthen one, even if the other is weak. Defense in depth.
I think you knew what I meant, but for clarification, I know of very few people using mysql's password() to hash user passwords for their web based authentication system. This is simply an observation, and perhaps I am wrong, but it does not seem to be "the norm" as far as web based apps are concerned.getmizanur wrote:mmm...mysql they themselves use password() function in "user" table to hash passwords which include root password. you missed that one.
This goes back to the first point I made above, about exposure. In order for you to sniff my username and password, we would both have to be on the same network node (that you can control) at some point during the data transmission. I have logged into this forum many many times over an un-encrypted connection, and even though you know how, I feel confident that you do not have nor can you get my password using a network traffic analyzer. IF it were so easy to do, I would assume that the site admin account would be under constant attack.getmizanur wrote:To hash a password, it initially needs to be transmitted over http protocol to the server side script which then is hashed with md5/sha-2. during that transport, the data (ie password, username) is available to see by people using www in plain text. if i manage to sniff out your password, it does not matter how much you hash/encrypt the password, your database is going to match the hash/encrypted string and let me pass.
We can agree that the "proper" way to transmit user credentials is over SSL. Though sometimes you have to do the best that you can, given the tools you havem so long as the consequences of a compromised system are low.
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: Password Incrypt
getmizanur wrote:if you are using mysql, use password() function to secure your password.
Not quite.getmizanur wrote:mmm...mysql they themselves use password() function in "user" table to hash passwords which include root password
mySQL reference manual wrote:The PASSWORD() function is used by the authentication system in MySQL Server; you should not use it in your own applications
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
-
YoussefSiblini
- Forum Contributor
- Posts: 206
- Joined: Thu Jul 21, 2011 1:51 pm
Re: Password Incrypt
Wow thank you guys, you are so useful I am going to use SSL certificate definitely before my site go live, lots of users who are new to php like me will find this post very helpful 