[SOLVED]I almost dare not ask...

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

User avatar
Jean-Yves
Forum Contributor
Posts: 148
Joined: Wed Jul 02, 2003 2:13 pm
Location: West Country, UK

[SOLVED]I almost dare not ask...

Post by Jean-Yves »

...but can someone recommend a link to a site with a good, simple, step-by-step guide to establishing a password field in MySQL (using the PASSWORD, ENCRYPT type functions I assume?), and how to compare that value to a value entered into a login page (DECODE ?).

Any info on how to Update the field if this is different to an Insert would be great too.

Currently, I use clear text as the site holds no valuable data, but real email addresses (as opposed to dummy/throwaway ones for testing) will soon be held so this needs to be secured a little more.

Despite reading various articles and manual pages (bith PHP and MySQL), I am still confused about md5, encryption, salting, etc.

I have read the MD5 tutorial on this site, but I would like the password to be encrypted on the database if at all possible, so that even admins cannot read them.

Thanks.
Last edited by Jean-Yves on Tue Sep 28, 2004 5:58 am, edited 1 time in total.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

Isn't this

Code: Select all

insert into table set field=md5('clear-text-password');
enough for you?
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

And comparison with something entered into a textfield would be as simple as converting that into md5, and comparing it to the one in the DB.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

Sami wrote:And comparison with something entered into a textfield would be as simple as converting that into md5, and comparing it to the one in the DB.
eg

Code: Select all

select count(*) from table where field=md5('clear-text-password')
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Re: I almost dare not ask...

Post by Roja »

Jean-Yves wrote: I have read the MD5 tutorial on this site, but I would like the password to be encrypted on the database if at all possible, so that even admins cannot read them.
You didn't read it well enough then. :)

MD5 isnt encryption - its hashing. However, when you store the hash, its impossible - even for an admin - to recover the original value.

So, if I ask you for your password, and md5 it:

$store_this = md5("password");

Then store it in the DB, it will look like this:

# select password from users where userid=2
5f4dcc3b5aa765d61d8327deb882cf99

Its computationally infeasible to recover the original from that hash - ie, you can't run un_md5("5f4dcc3b5aa765d61d8327deb882cf99"); - there is no such beast.

I'll leave the SQL, password, encrypt stuff to others to explain. But hopefully, you can see how md5 can be used to securely store a password hash now.
User avatar
Jean-Yves
Forum Contributor
Posts: 148
Joined: Wed Jul 02, 2003 2:13 pm
Location: West Country, UK

Post by Jean-Yves »

So md5 would be sufficient for most cases? Great :)
The content of the database is not particularly of interest to anyone, other than email addresses, and I recommend users chose a throwaway account. But better safe than sorry!

Thanks for the feedback everyone.

One other thing - is sha() better than md5() ? Or simply a different way of achieveing the same thing?
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

Jean-Yves wrote:So md5 would be sufficient for most cases? Great :)
...
One other thing - is sha() better than md5() ? Or simply a different way of achieveing the same thing?
"Sufficient for most cases" is a value judgement.

For example, if I wanted to protect against a script kiddie who might gain access to an online game with no prizes that I run, md5 is almost overkill.

However, if I wanted to protect against a fairly dedicated attacker, who might have a library of likely md5 hashes, then sha1 would be better - its got a larger keyspace, so its less likely to be compromised.

Yet again, if I wanted to protect against THE FEDERAL GOVERNMENT, well, get the tinfoil hats on, and use something much more serious like blowfish or PGP. :)

Its all about protection v. attacker.

But to answer the other question, SHA1 (in the latest php's) is almost exactly as fast as md5 (less than 5% variance in my testing), and gives substantially more protection.
d_d
Forum Commoner
Posts: 33
Joined: Wed Jul 07, 2004 4:56 pm
Location: UK

Post by d_d »

I think you are much better off spending time preventing people from getting access to your database in the first place. Once the attacker has access to the database he has access to the sensertive info in it and the password hashing method is irelevent.

Also a lot of people use simple easy to guess passwords for which sha1 is really no better than md5. If the weak link is users with simple passwords then the attacker is going to exploit that weakness instead of trying to attack your hashing method.
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

d_d wrote:I think you are much better off spending time preventing people from getting access to your database in the first place. Once the attacker has access to the database he has access to the sensertive info in it and the password hashing method is irelevent.
I dont completely agree. I think time should be spent on both, but yes, preventing access to the db is at least as important, if not more so.
d_d wrote: Also a lot of people use simple easy to guess passwords for which sha1 is really no better than md5. If the weak link is users with simple passwords then the attacker is going to exploit that weakness instead of trying to attack your hashing method.
With that - I completely agree. Any idiot using "password" as their password is likely to get his account compromised.
User avatar
evilmonkey
Forum Regular
Posts: 823
Joined: Sun Oct 06, 2002 1:24 pm
Location: Toronto, Canada

Post by evilmonkey »

Roja wrote:
d_d wrote: Also a lot of people use simple easy to guess passwords for which sha1 is really no better than md5. If the weak link is users with simple passwords then the attacker is going to exploit that weakness instead of trying to attack your hashing method.
With that - I completely agree. Any idiot using "password" as their password is likely to get his account compromised.
To extend that idea further, give me a hash of a string less than six characters, and I will post you your word. Take my word for it, it'll take me less than 5 mintues. Once you go over 6 characters, time grows exponentially and it's no fun anymore :twisted:. This is exactly why I alwasy ask for a password greater than 6 characters for all my user-based sites.
User avatar
Jean-Yves
Forum Contributor
Posts: 148
Joined: Wed Jul 02, 2003 2:13 pm
Location: West Country, UK

Post by Jean-Yves »

evilmonkey wrote:
Roja wrote: To extend that idea further, give me a hash of a string less than six characters, and I will post you your word. Take my word for it, it'll take me less than 5 mintues. Once you go over 6 characters, time grows exponentially and it's no fun anymore :twisted:. This is exactly why I alwasy ask for a password greater than 6 characters for all my user-based sites.
Thanks, that's good to know, as currently passwords are 5-15 characters. I'll up it to 7 minimum then! :)
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

5 chars: d6aca7c53b1d7fbfd2aac0458808ac26
4 chars: 4f8de24d6093ac5d25c7cfafc474d49f
3 chars: fda71993dbb74d33a8d02806aafd4bba

Let's see if you can go 3/3. 8)
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

evilmonkey wrote: This is exactly why I alwasy ask for a password greater than 6 characters for all my user-based sites.
Ah - but that means for all your user-based sites, you have the user send you the password cleartext at some point, so you can check the size!

That means that someone can sniff the connection, and gather those passwords.

Security is a compromise at every step! Your solution may force users to have longer and thus harder to brute force passwords, but now I know if I wanted to attack them, my best bet would be to compromise either the server, the upstream gateways/routers, some end user's ISP, or even their computer.

Either way, touting passing passwords as cleartext (to enforce length-checks) as "superior" to weaker passwords is definitely debatable.
User avatar
evilmonkey
Forum Regular
Posts: 823
Joined: Sun Oct 06, 2002 1:24 pm
Location: Toronto, Canada

Post by evilmonkey »

Sami wrote:5 chars: d6aca7c53b1d7fbfd2aac0458808ac26
4 chars: 4f8de24d6093ac5d25c7cfafc474d49f
3 chars: fda71993dbb74d33a8d02806aafd4bba

Let's see if you can go 3/3. 8)
Hello Sami,

Your 5 char hash is phpdn (~1 minute)
Your 4 char hash is sami (~1 second)
Your 3 char hash is heh (instant)

3/3? :lol:
User avatar
dull1554
Forum Regular
Posts: 680
Joined: Sat Nov 22, 2003 11:26 am
Location: 42:21:35.359N, 76:02:20.688W

Post by dull1554 »

hey evilmonkey, what program do you use to brute force md5 hashes?
i used to use cain but i run win2k and there is only a 98 version......
Post Reply