Page 1 of 1
Password Encrypt
Posted: Sun Sep 04, 2011 3:13 pm
by YoussefSiblini
Hi,
I am trying to secure the password using md5 before sending it to the database.
But the problem I am getting is:
So the user registers, lets say he enters password as his password, and then that password will encrypt and go to the database, but when that user tries to login using password as the password it will not let him login because the password has been encrypted so I have to give him the encrypted pw from the database.
Is there a way to get over this, or a different way to do it?
Youssef
Re: Password Incrypt
Posted: Sun Sep 04, 2011 3:23 pm
by ok
md5 is 1-way algorithm, and hence it can only encrypt strings.
The workflow of securing passwords with md5 is as follows.
Registration Process
- The user registers with a password
- The PHP script encrypts the password using md5() and stores it in the database
Login Process
- When the user wants to login again, he needs to enter his password
- The entered password is sent to the PHP script
- The PHP script then encrypts the password sent from the login form with md5() and checks if it is equal to the md5 encrypted password stored in the database
So, you don't actually have the real password in the database, but just the md5 representation of it. This ensures that if someone hacks into your database, they don't have the users passwords.
Re: Password Incrypt
Posted: Sun Sep 04, 2011 4:14 pm
by YoussefSiblini
Thank you so much, you are a life saver.
Re: Password Incrypt
Posted: Sun Sep 04, 2011 4:21 pm
by getmizanur
your algorithm is pointless, if you do not send user password through ssl connection. linux users can use tcpflow, wireshark, tcpdump and other utilities to snoop on network traffic. using these utilities you can identify user password.
if you are using mysql, use password() function to secure your password.
conclusion
1./ set-up ssl connection (https)
2./ use password() function (mysql)
Re: Password Incrypt
Posted: Sun Sep 04, 2011 5:26 pm
by YoussefSiblini
getmizanur thank you,
I am going to use ssl certificate later on would md5 secure it tell ssl ready, or should I use md5 and another stuff like password() function?
Re: Password Incrypt
Posted: Sun Sep 04, 2011 6:34 pm
by flying_circus
getmizanur wrote:your algorithm is pointless, if you do not send user password through ssl connection. linux users can use tcpflow, wireshark, tcpdump and other utilities to snoop on network traffic. using these utilities you can identify user password.
if you are using mysql, use password() function to secure your password.
conclusion
1./ set-up ssl connection (https)
2./ use password() function (mysql)
HI,
You do realize that this site does not use SSL to transmit usernames and passwords, right?
I know of very few people using mysql's password to hash user passwords.
First, do NOT encrypt passwords. Encrypting something implies that it can be decrypted. You want to hash the password, hashing is a 1 way function where you cannot (theoretically) obtain the source.
Second, do NOT use md5 to hash passwords, it is cryptographically unsafe. There is speculation that SHA-1 is no longer safe as well. You should strive to use one of the SHA-2 algorithms. After all, bits are cheap.
Third, at a minimum, you should salt your passwords, preferably you should pepper them as well, and I like to throw the username and id in as ingredients as well. Search for password salting for examples.
Re: Password Incrypt
Posted: Mon Sep 05, 2011 6:29 am
by YoussefSiblini
I know you said don't use md5 but I found this online they say it is safe:
Code: Select all
$password = "banana"
$salt = sha1(md5($password));
$password = md5($password.$salt);
what you think?
Youssef
Re: Password Incrypt
Posted: Mon Sep 05, 2011 6:36 am
by ok
Zend framework has a built-in support for PHP MCrypt functions. You can read there:
http://framework.zend.com/manual/en/zen ... et.encrypt
Or at the PHP manual:
http://php.net/mcrypt
Re: Password Incrypt
Posted: Mon Sep 05, 2011 10:38 am
by Apollo
YoussefSiblini wrote:I know you said don't use md5 but I found this online they say it is safe:
"they" are wrong, md5 is significantly more vulnerable than several better (stronger) hashes. See
this page which pretty much sums it up (especially point 1).
Regarding the SSL issue: keep in mind that hashing the password is happening server-side, so the actual password is still being sent in plaintext to your script unless you use https! I'd recommend to use either SSL, or hash the password client side (i.e. using javascript) and only submit the hash, rather than the password itself. SSL is the preferred alternative though.
Re: Password Incrypt
Posted: Mon Sep 05, 2011 12:03 pm
by flying_circus
YoussefSiblini wrote:I know you said don't use md5 but I found this online they say it is safe:
Code: Select all
$password = "banana"
$salt = sha1(md5($password));
$password = md5($password.$salt);
what you think?
Youssef
Hi Youssef,
I think using the password as the salt is a poor idea, I would use a strong random for salting purposes. I prefer to grab some data from /dev/urandom, but it only exists on *nix based systems.
I also think its just as easy to user a stronger hash algorithm. I think the reason people are so adamant about using md5 is that they simply dont know how easy it is to use a stronger algorithm.
Code: Select all
<?php
$password = hash('sha256', "my_password and salt and other ingredients");
?>
Re: Password Incrypt
Posted: Mon Sep 05, 2011 4:31 pm
by getmizanur
You do realize that this site does not use SSL to transmit usernames and passwords, right?
Yes, I do however just because this site is not using it that does not mean it is right. think about it, why bother spending money on ssl certificate; gmail, hotmail, oracle java forum and other sites should all just stop using ssl connection cause this site doe not use it. lame excuse.
owner of this site is not using ssl connection either he thinks the data is not sensitive enough to warrent a ssl certificate or he does not want to fork out money for the certificate. yes, he can generate self signed certificate however every browser is going to throw a warning message which may put off users.
I know of very few people using mysql's password to hash user passwords
mmm...mysql they themselves use password() function in "user" table to hash passwords which include root password. you missed that one.
To hash a password, it initially needs to be transmitted over http protocol to the server side script which then is hashed with md5/sha-2. during that transport, the data (ie password, username) is available to see by people using www in plain text. if i manage to sniff out your password, it does not matter how much you hash/encrypt the password, your database is going to match the hash/encrypted string and let me pass.
Re: Password Incrypt
Posted: Mon Sep 05, 2011 5:43 pm
by flying_circus
getmizanur wrote:owner of this site is not using ssl connection either he thinks the data is not sensitive enough to warrent a ssl certificate
Bingo! This is a design consideration based on risk and exposure.
You stated "your algorithm is pointless, if you do not send user password through ssl connection." and I disagree. There are two seperate security mechanisms at work here, and although they should both be equally strong, it is not pointless to strengthen one, even if the other is weak. Defense in depth.
getmizanur wrote:mmm...mysql they themselves use password() function in "user" table to hash passwords which include root password. you missed that one.
I think you knew what I meant, but for clarification, I know of very few people using mysql's password() to hash user passwords for their web based authentication system. This is simply an observation, and perhaps I am wrong, but it does not seem to be "the norm" as far as web based apps are concerned.
getmizanur wrote:To hash a password, it initially needs to be transmitted over http protocol to the server side script which then is hashed with md5/sha-2. during that transport, the data (ie password, username) is available to see by people using www in plain text. if i manage to sniff out your password, it does not matter how much you hash/encrypt the password, your database is going to match the hash/encrypted string and let me pass.
This goes back to the first point I made above, about exposure. In order for you to sniff my username and password, we would both have to be on the same network node (that you can control) at some point during the data transmission. I have logged into this forum many many times over an un-encrypted connection, and even though you know how, I feel confident that you do not have nor can you get my password using a network traffic analyzer. IF it were so easy to do, I would assume that the site admin account would be under constant attack.
We can agree that the "proper" way to transmit user credentials is over SSL. Though sometimes you have to do the best that you can, given the tools you havem so long as the consequences of a compromised system are low.
Re: Password Incrypt
Posted: Tue Sep 06, 2011 4:35 am
by social_experiment
getmizanur wrote:if you are using mysql, use password() function to secure your password.
getmizanur wrote:mmm...mysql they themselves use password() function in "user" table to hash passwords which include root password
Not quite.
mySQL reference manual wrote:The PASSWORD() function is used by the authentication system in MySQL Server; you should not use it in your own applications
Re: Password Incrypt
Posted: Mon Sep 12, 2011 7:38 am
by YoussefSiblini
Wow thank you guys, you are so useful I am going to use SSL certificate definitely before my site go live, lots of users who are new to php like me will find this post very helpful
