When to use MD5 ?
Moderator: General Moderators
-
JPlush76
- Forum Regular
- Posts: 819
- Joined: Thu Aug 01, 2002 5:42 pm
- Location: Los Angeles, CA
- Contact:
When to use MD5 ?
I've read alot of posts about the use of MD5 for making user passwords more secure.
at what point does md5 become needed? just for everyday login and information sites or should I just use it when you're talking about someone's credit card info or other really personal info?
also if you are to use it, what type of mysql field best supports it and what char length is needed for it?
thanks all!
at what point does md5 become needed? just for everyday login and information sites or should I just use it when you're talking about someone's credit card info or other really personal info?
also if you are to use it, what type of mysql field best supports it and what char length is needed for it?
thanks all!
Well, the safest approach (which is not absolutely necessary, but adviseable for high-security content like credit card numbers) would be to send the text already crypted on form submitting (by means of using JavaScript). Yahoo! Mail uses this system, you could take a look at the source of http://mail.yahoo.com/. The only downside being that there are still browsers that do not support JavaScript (too few to be taken into consideration IMHO).
I never rely on JavaScript, or on any client-side processing, for authentication purposes. While most browsers nowadays support it, many people turn it off.
llimllib:Looking forward to it... in fact if you want someone to review/poke holes in it let me know, but I suspect its a variation of what theChosen has said, so you'll already know my main objection.
llimllib:Looking forward to it... in fact if you want someone to review/poke holes in it let me know, but I suspect its a variation of what theChosen has said, so you'll already know my main objection.
-
JPlush76
- Forum Regular
- Posts: 819
- Joined: Thu Aug 01, 2002 5:42 pm
- Location: Los Angeles, CA
- Contact:
so lets say I log in a user
USERNAME: user
PASSWORD: testy
I MD5 that "testy" field into a 32char field in mysql and when they go to log in, they can still use their same "testy" password and it would work?
what happens if they forget their password? would you do a reset on the password and mail them a new password that they can log in and change again?
USERNAME: user
PASSWORD: testy
I MD5 that "testy" field into a 32char field in mysql and when they go to log in, they can still use their same "testy" password and it would work?
what happens if they forget their password? would you do a reset on the password and mail them a new password that they can log in and change again?
-
daemorhedron
- Forum Commoner
- Posts: 52
- Joined: Tue Jul 23, 2002 11:03 am
If you md5() the pw and store it as such in your db (and you should) you must md5() the pw they input to login and compare the two using that.
If they forget their password, they are kinda screwed. md5() is one way, so you won't be able to know what it is (without brute force hacking it, which is a waste of time of course) so you should have a system that will wipe their old pw, and assign them a temp one to the email addy they used to sign up with, or an equivalent system.
If they forget their password, they are kinda screwed. md5() is one way, so you won't be able to know what it is (without brute force hacking it, which is a waste of time of course) so you should have a system that will wipe their old pw, and assign them a temp one to the email addy they used to sign up with, or an equivalent system.
As I posted to someone else who wanted a forgot password thingy (this should help u with MD5 and password dilemmas):
later on, -Brianon my website: Poetry.mine.nu, the way I go about passwords is more complex than yours, but simpler in the same way...here:
I think, in your case, it is bad judgement NOT to hash the passwords...not only would people not trust you if they found out, but its just not good backend security in general. I suggest that you 'md5' (a form of hashing) your passwords. So when they sign-up, it does:
Code: Select all
md5($password)
Then, when they go to login, it hashes what they enter and compares that to what is in the database.....(say that the name of the username input box on the login form is "username" and the password box name is "password"):
Then, in the rest of the site, you can check if they're logged in by:Code: Select all
$result = mysql_query("select * from DBname where usercol='$username'"); $row = mysql_fetch_assoc($result); if($rowї"password"]==md5($password)) { $loggedin = $username; session_register("loggedin") }
Code: Select all
if(session_is_registered("loggedin")) {}
So ANYWAY, about your 'forgot password' page. What you have them do is send you an e-mail FROM the e-mail address that they signed up with (so you know that they truely are who they say they are), then just hash up another temporary password and stick it in the DB under their name.... You can have a little admin page where u can enter something, and it'll return the hash, then just c/p and insert it into the DB under their name. So then u just put in like 'bob', put thaty in the DB for them, and e-mail them back telling them that their password has been changed to 'bob'. They can then proceed to change it at an 'Account' page...supposing you have one. If you don't have an account page...i suggest you make on...if not, just have them e-mail you what they WANT to be their password...then u hash it up and stick it in the DB. (If you thing that "ooo, but then i'd know their password"....well, you could have looked anytime u want with ur origional/non-hash scheme.)
I really hope that all made sense, and it's a very secure and eficiant way of doing things...feel free to c/p the code.....
Also, with MD5, you can have fun creating random passwords for users:
Code: Select all
<?php
function create_password ()
{
$seed = (integer) md5(time());
mt_srand($seed);
$password = mt_rand(1,99999999);
$password = substr(md5($password), mt_rand(0, 19), mt_rand(6, 12));
return $password;
}
?>Seems like most people here use MD5 to encrypt their passwords and I've been a little sloppy in my posts. I actually tend to use crypt, with a MD5 salt. I beleive this is more secure than merely using MD5 and is definately much more secure than using a plain 3DES crypt.
Salts are used to prevent a single compromised password from comprising other users who may have chosen the same password, or to protect users who use the same password on multiple systems. So it doesn't really make your site more secure, but it limits the impact of a compromise. Salts are not secret. Anyone seeing the crypted password will know the salt. The only requirement for a salt is for it to be unique (ideally over all users on all systems); however, most people settle for strongly random.
The sleeps are used to frustrate brute-force password crackers by limiting retries to one a second. Most users won't notice the delay and it imposes next to no load on the server.
The MD5 function by itself is useful as jason has used it or as I used above to generate strongly random/unique identifiers. It is also very useful for detecting tampering with (transient) data/sessions my computing the message digest/hash and recomputing at the other end of the data interchange.
Code: Select all
// $1$ as a prefix indicated a MD5 salt
$salt = '$1$'.substr(MD5(session_id() . microtime() . getmypid()),0,12);
$cryptedPass = crypt($password,$salt);
// store this in your DB
// later in your code to test for matching passwords use
//This function should return the stored password for a user given a username
$storedPassword = getCryptedPassForUser($username);
if (""==$storedPassword)
{
sleep(1);
// handle no-such user. typically speaking the result of no such user
// should be exactly the same as a failed password match in order to
// avoid revealling usernames to an attacker who doesn't know one
// not really needed when usernames are public knowledge, but still
// its good practice....
}
else
{
if (crypt($enteredPassword,$storedPassword)==$storedPassword)
{
// success
}
else
{
sleep(1);
// fail, redirect/redisplay/log failures, etc
}
}The sleeps are used to frustrate brute-force password crackers by limiting retries to one a second. Most users won't notice the delay and it imposes next to no load on the server.
The MD5 function by itself is useful as jason has used it or as I used above to generate strongly random/unique identifiers. It is also very useful for detecting tampering with (transient) data/sessions my computing the message digest/hash and recomputing at the other end of the data interchange.