There have been lots of posts on how a password checking should be handled and i do not know which one is beter than the other.
Some say make it part of a session and other posts are putting it in a cookie. Some are passing it as a hidden field to another page that use md5() and storing it in the DB (not too secure- I think). And the last one I am familiar with is http authenticate.
What is the most secure and efficient way to handle passwords if i do not want to pass it through a hidden fields?
your thought are greatly appreciate it.
--quan
Your thoughts on best security for PWD
Moderator: General Moderators
-
PingLeeQuan
- Forum Commoner
- Posts: 58
- Joined: Tue Sep 03, 2002 8:08 am
Tricky question.
Depends on how secure you *really* want things.
For example, this forum has all passwords stored in the user table in an MD5 hash.
When you enter your password to log on, it converts your plain text password into an MD5 and compares it with what's in the database.
Technically you could do the same thing with plain text passwords and if $password===password (=== means IDENTICAL to).
MD5 just adds that extra layer of security in that even if someone steals your encrypted password, they can't use it to log in and do some damage because MD5 will just hash the stolen hash into a new hash.
Best way to store a session hash? Sessions. They're server side, and unless you've set up the session directory to be somewhere other then /tmp or c:\temp they're safe.
So in closing, drink Dr Pepper.
Oh, just a quick question... Has anyone else had any problems installing the mcrypt extension on a windows system?
Depends on how secure you *really* want things.
For example, this forum has all passwords stored in the user table in an MD5 hash.
When you enter your password to log on, it converts your plain text password into an MD5 and compares it with what's in the database.
Technically you could do the same thing with plain text passwords and if $password===password (=== means IDENTICAL to).
MD5 just adds that extra layer of security in that even if someone steals your encrypted password, they can't use it to log in and do some damage because MD5 will just hash the stolen hash into a new hash.
Best way to store a session hash? Sessions. They're server side, and unless you've set up the session directory to be somewhere other then /tmp or c:\temp they're safe.
So in closing, drink Dr Pepper.
Oh, just a quick question... Has anyone else had any problems installing the mcrypt extension on a windows system?
-
PingLeeQuan
- Forum Commoner
- Posts: 58
- Joined: Tue Sep 03, 2002 8:08 am
Ohhhhhhhhhhh...
You can look at memory handling functions for PHP, or you could use a HEAP type table on MySQL, which is a table in memory rather than a table stored on disk space.
Only problem with HEAP types though is that sometimes session data goes iffy, and the data stored in the table isn't permanent.
Or do you mean you're keeping user information in a file on disk space?
You can look at memory handling functions for PHP, or you could use a HEAP type table on MySQL, which is a table in memory rather than a table stored on disk space.
Only problem with HEAP types though is that sometimes session data goes iffy, and the data stored in the table isn't permanent.
Or do you mean you're keeping user information in a file on disk space?
-
PingLeeQuan
- Forum Commoner
- Posts: 58
- Joined: Tue Sep 03, 2002 8:08 am