Page 1 of 1

Your thoughts on best security for PWD

Posted: Wed Jan 29, 2003 9:13 am
by PingLeeQuan
There have been lots of posts on how a password checking should be handled and i do not know which one is beter than the other.

Some say make it part of a session and other posts are putting it in a cookie. Some are passing it as a hidden field to another page that use md5() and storing it in the DB (not too secure- I think). And the last one I am familiar with is http authenticate.

What is the most secure and efficient way to handle passwords if i do not want to pass it through a hidden fields?

your thought are greatly appreciate it.
--quan

Posted: Wed Jan 29, 2003 9:47 am
by DeGauss
Tricky question.

Depends on how secure you *really* want things.

For example, this forum has all passwords stored in the user table in an MD5 hash.

When you enter your password to log on, it converts your plain text password into an MD5 and compares it with what's in the database.

Technically you could do the same thing with plain text passwords and if $password===password (=== means IDENTICAL to).

MD5 just adds that extra layer of security in that even if someone steals your encrypted password, they can't use it to log in and do some damage because MD5 will just hash the stolen hash into a new hash.

Best way to store a session hash? Sessions. They're server side, and unless you've set up the session directory to be somewhere other then /tmp or c:\temp they're safe.

So in closing, drink Dr Pepper.

Oh, just a quick question... Has anyone else had any problems installing the mcrypt extension on a windows system?

Posted: Wed Jan 29, 2003 9:54 am
by PingLeeQuan
Thanks DeGauss... i would like to keep the PWD in memory to check against an index that i built to access user data in file. This file contains information for all users visiting the site (logging in).

Posted: Wed Jan 29, 2003 9:56 am
by DeGauss
Ohhhhhhhhhhh...

You can look at memory handling functions for PHP, or you could use a HEAP type table on MySQL, which is a table in memory rather than a table stored on disk space.

Only problem with HEAP types though is that sometimes session data goes iffy, and the data stored in the table isn't permanent.

Or do you mean you're keeping user information in a file on disk space?

Posted: Wed Jan 29, 2003 10:27 am
by PingLeeQuan
The file is in memory stored ont another secure server. THat is why i was not too crazy about using sessions. Session ids can also be hijacked by other hackers.

--quan