Your thoughts on best security for PWD

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
PingLeeQuan
Forum Commoner
Posts: 58
Joined: Tue Sep 03, 2002 8:08 am

Your thoughts on best security for PWD

Post by PingLeeQuan »

There have been lots of posts on how a password checking should be handled and i do not know which one is beter than the other.

Some say make it part of a session and other posts are putting it in a cookie. Some are passing it as a hidden field to another page that use md5() and storing it in the DB (not too secure- I think). And the last one I am familiar with is http authenticate.

What is the most secure and efficient way to handle passwords if i do not want to pass it through a hidden fields?

your thought are greatly appreciate it.
--quan
DeGauss
Forum Contributor
Posts: 105
Joined: Tue Oct 22, 2002 9:44 am
Location: Gainesville, FL

Post by DeGauss »

Tricky question.

Depends on how secure you *really* want things.

For example, this forum has all passwords stored in the user table in an MD5 hash.

When you enter your password to log on, it converts your plain text password into an MD5 and compares it with what's in the database.

Technically you could do the same thing with plain text passwords and if $password===password (=== means IDENTICAL to).

MD5 just adds that extra layer of security in that even if someone steals your encrypted password, they can't use it to log in and do some damage because MD5 will just hash the stolen hash into a new hash.

Best way to store a session hash? Sessions. They're server side, and unless you've set up the session directory to be somewhere other then /tmp or c:\temp they're safe.

So in closing, drink Dr Pepper.

Oh, just a quick question... Has anyone else had any problems installing the mcrypt extension on a windows system?
PingLeeQuan
Forum Commoner
Posts: 58
Joined: Tue Sep 03, 2002 8:08 am

Post by PingLeeQuan »

Thanks DeGauss... i would like to keep the PWD in memory to check against an index that i built to access user data in file. This file contains information for all users visiting the site (logging in).
DeGauss
Forum Contributor
Posts: 105
Joined: Tue Oct 22, 2002 9:44 am
Location: Gainesville, FL

Post by DeGauss »

Ohhhhhhhhhhh...

You can look at memory handling functions for PHP, or you could use a HEAP type table on MySQL, which is a table in memory rather than a table stored on disk space.

Only problem with HEAP types though is that sometimes session data goes iffy, and the data stored in the table isn't permanent.

Or do you mean you're keeping user information in a file on disk space?
PingLeeQuan
Forum Commoner
Posts: 58
Joined: Tue Sep 03, 2002 8:08 am

Post by PingLeeQuan »

The file is in memory stored ont another secure server. THat is why i was not too crazy about using sessions. Session ids can also be hijacked by other hackers.

--quan
Post Reply