Page 1 of 3
[SOLVED]I almost dare not ask...
Posted: Mon Sep 20, 2004 9:28 am
by Jean-Yves
...but can someone recommend a link to a site with a good, simple, step-by-step guide to establishing a password field in MySQL (using the PASSWORD, ENCRYPT type functions I assume?), and how to compare that value to a value entered into a login page (DECODE ?).
Any info on how to Update the field if this is different to an Insert would be great too.
Currently, I use clear text as the site holds no valuable data, but real email addresses (as opposed to dummy/throwaway ones for testing) will soon be held so this needs to be secured a little more.
Despite reading various articles and manual pages (bith PHP and MySQL), I am still confused about md5, encryption, salting, etc.
I have read the MD5 tutorial on this site, but I would like the password to be encrypted on the database if at all possible, so that even admins cannot read them.
Thanks.
Posted: Mon Sep 20, 2004 9:54 am
by Weirdan
Isn't this
Code: Select all
insert into table set field=md5('clear-text-password');
enough for you?
Posted: Mon Sep 20, 2004 9:56 am
by m3mn0n
And comparison with something entered into a textfield would be as simple as converting that into md5, and comparing it to the one in the DB.
Posted: Mon Sep 20, 2004 9:58 am
by Weirdan
Sami wrote:And comparison with something entered into a textfield would be as simple as converting that into md5, and comparing it to the one in the DB.
eg
Code: Select all
select count(*) from table where field=md5('clear-text-password')
Re: I almost dare not ask...
Posted: Mon Sep 20, 2004 9:58 am
by Roja
Jean-Yves wrote:
I have read the MD5 tutorial on this site, but I would like the password to be encrypted on the database if at all possible, so that even admins cannot read them.
You didn't read it well enough then.
MD5 isnt encryption - its hashing. However, when you store the hash, its impossible - even for an admin - to recover the original value.
So, if I ask you for your password, and md5 it:
$store_this = md5("password");
Then store it in the DB, it will look like this:
# select password from users where userid=2
5f4dcc3b5aa765d61d8327deb882cf99
Its computationally infeasible to recover the original from that hash - ie, you can't run un_md5("5f4dcc3b5aa765d61d8327deb882cf99"); - there is no such beast.
I'll leave the SQL, password, encrypt stuff to others to explain. But hopefully, you can see how md5 can be used to securely store a password hash now.
Posted: Mon Sep 20, 2004 10:09 am
by Jean-Yves
So md5 would be sufficient for most cases? Great
The content of the database is not particularly of interest to anyone, other than email addresses, and I recommend users chose a throwaway account. But better safe than sorry!
Thanks for the feedback everyone.
One other thing - is sha() better than md5() ? Or simply a different way of achieveing the same thing?
Posted: Mon Sep 20, 2004 12:06 pm
by Roja
Jean-Yves wrote:So md5 would be sufficient for most cases? Great
...
One other thing - is sha() better than md5() ? Or simply a different way of achieveing the same thing?
"Sufficient for most cases" is a value judgement.
For example, if I wanted to protect against a script kiddie who might gain access to an online game with no prizes that I run, md5 is almost overkill.
However, if I wanted to protect against a fairly dedicated attacker, who might have a library of likely md5 hashes, then sha1 would be better - its got a larger keyspace, so its less likely to be compromised.
Yet again, if I wanted to protect against THE FEDERAL GOVERNMENT, well, get the tinfoil hats on, and use something much more serious like blowfish or PGP.
Its all about protection v. attacker.
But to answer the other question, SHA1 (in the latest php's) is almost exactly as fast as md5 (less than 5% variance in my testing), and gives substantially more protection.
Posted: Mon Sep 20, 2004 3:03 pm
by d_d
I think you are much better off spending time preventing people from getting access to your database in the first place. Once the attacker has access to the database he has access to the sensertive info in it and the password hashing method is irelevent.
Also a lot of people use simple easy to guess passwords for which sha1 is really no better than md5. If the weak link is users with simple passwords then the attacker is going to exploit that weakness instead of trying to attack your hashing method.
Posted: Mon Sep 20, 2004 4:11 pm
by Roja
d_d wrote:I think you are much better off spending time preventing people from getting access to your database in the first place. Once the attacker has access to the database he has access to the sensertive info in it and the password hashing method is irelevent.
I dont completely agree. I think time should be spent on both, but yes, preventing access to the db is at least as important, if not more so.
d_d wrote:
Also a lot of people use simple easy to guess passwords for which sha1 is really no better than md5. If the weak link is users with simple passwords then the attacker is going to exploit that weakness instead of trying to attack your hashing method.
With that - I completely agree. Any idiot using "password" as their password is likely to get his account compromised.
Posted: Mon Sep 20, 2004 5:31 pm
by evilmonkey
Roja wrote:d_d wrote:
Also a lot of people use simple easy to guess passwords for which sha1 is really no better than md5. If the weak link is users with simple passwords then the attacker is going to exploit that weakness instead of trying to attack your hashing method.
With that - I completely agree. Any idiot using "password" as their password is likely to get his account compromised.
To extend that idea further, give me a hash of a string less than six characters, and I will post you your word. Take my word for it, it'll take me less than 5 mintues. Once you go over 6 characters, time grows exponentially and it's no fun anymore

. This is exactly why I alwasy ask for a password greater than 6 characters for all my user-based sites.
Posted: Tue Sep 21, 2004 5:40 am
by Jean-Yves
evilmonkey wrote:Roja wrote:
To extend that idea further, give me a hash of a string less than six characters, and I will post you your word. Take my word for it, it'll take me less than 5 mintues. Once you go over 6 characters, time grows exponentially and it's no fun anymore

. This is exactly why I alwasy ask for a password greater than 6 characters for all my user-based sites.
Thanks, that's good to know, as currently passwords are 5-15 characters. I'll up it to 7 minimum then!

Posted: Tue Sep 21, 2004 6:12 am
by m3mn0n
5 chars: d6aca7c53b1d7fbfd2aac0458808ac26
4 chars: 4f8de24d6093ac5d25c7cfafc474d49f
3 chars: fda71993dbb74d33a8d02806aafd4bba
Let's see if you can go 3/3.

Posted: Tue Sep 21, 2004 7:59 am
by Roja
evilmonkey wrote:
This is exactly why I alwasy ask for a password greater than 6 characters for all my user-based sites.
Ah - but that means for all your user-based sites, you have the user send you the password cleartext at some point, so you can check the size!
That means that someone can sniff the connection, and gather those passwords.
Security is a compromise at every step! Your solution may force users to have longer and thus harder to brute force passwords, but now I know if I wanted to attack them, my best bet would be to compromise either the server, the upstream gateways/routers, some end user's ISP, or even their computer.
Either way, touting passing passwords as cleartext (to enforce length-checks) as "superior" to weaker passwords is definitely debatable.
Posted: Tue Sep 21, 2004 3:13 pm
by evilmonkey
Sami wrote:5 chars: d6aca7c53b1d7fbfd2aac0458808ac26
4 chars: 4f8de24d6093ac5d25c7cfafc474d49f
3 chars: fda71993dbb74d33a8d02806aafd4bba
Let's see if you can go 3/3.

Hello Sami,
Your 5 char hash is phpdn (~1 minute)
Your 4 char hash is sami (~1 second)
Your 3 char hash is heh (instant)
3/3?

Posted: Tue Sep 21, 2004 4:43 pm
by dull1554
hey evilmonkey, what program do you use to brute force md5 hashes?
i used to use cain but i run win2k and there is only a 98 version......