Page 2 of 2

Posted: Sat Jan 03, 2004 2:27 pm
by cybaf
I've made a loginsystem that does not send the passwords and username over the network in clear text. and it does not require SSL. it is availiable on evilwalrus.com. (however, the version there is an old one). check it out.

//cybaf

Posted: Sat Jan 03, 2004 11:46 pm
by lazy_yogi
A link would be nice (I assume you already know where it is since it was your code that is posted somewhere there)

Also, if its an old version, how about offering the new one.

Posted: Sun Jan 04, 2004 5:13 am
by aquila125
I suggest building your own login class.. Perhaps it's a lot of work, but you can use it in your next project...


Have the login page created through php and put in a hidden field a random generated number (or the current time) (save this number in the Session).. Have the user enter his password and with javascript create the md5 hash of the password, then add the random number from the hidden field and create the md5 hash of that combination.. save this information in the password field (overwriting the original password).. send it to the server.
On the server side, get the md5 hashed password from the database (flat file or whatever), add the random number and create the md5 hash of that combination.. compare with the one received from the form

This is pretty save.. when login succeeds, save the IP from the logged in user in your Session, and on each page check to see if the IP is still the same as the one used to login (security against session hacking)..

This should be pretty save.. use SSL and you have another layer of security..

Posted: Sun Jan 04, 2004 7:55 am
by Fredix
Sorry, if I look like a big dumb noob here but what I always wonder about is:
How can this "sniffing" be done?

Posted: Wed Jan 07, 2004 9:43 am
by delorian
aquilla125: That is very interesting solution. You could also add some special protection measures like checking user browser or checking the difference between the user and the server time. Hijacker will not have a clue what is the user's computer time. Of course there is some possibility that the first time the user will send it's "time" to the server it will be sniffed, but it is the same problem with ssh or ssl.

BTW: cybaf, could you put that link here, evilwarus is vast and infinite ;) :D

Posted: Thu Jan 15, 2004 9:20 am
by cybaf
ok sorry guys... here is the link to my script. but remember that this is an old version, but I'll put up the new version after this weekend. (I'm not at home now) but the link... http://www.evilwalrus.com/viewcode.php?codeEx=478

it is using a mysql-handling script aswell so if you want to look at that aswell the link is as follows: http://www.evilwalrus.com/viewcode.php?codeEx=483

Posted: Thu Jan 15, 2004 3:55 pm
by nufferkay
Hm, some interesting ideas - thanks!

Now, what happens if the user has turned off Javascript?

-N

Posted: Thu Jan 15, 2004 7:34 pm
by ilovetoast
Then that script won't work properly.....

However, if this is your system, it's no big deal IMHO to tell people to turn on javascript to use. Just put a simple detector out front of everything.

Authentication via PHP is more flexible than htaccess based authentication. Reason enough, IMHO, to go that route.

The whole sniffing question is nonsense. I'm sorry. You aren't running ebay or somesuch. Backup your data regularly and just encrypt you passwords and usernames in transit and don't bother with SSL/tunneling/etc.

Before getting worried about that stuff, just ask yourself... would the handful of people around the computers in question really care enough to install a packet sniffer AND then work to break your encrypted passwords? And if they did, exactly how much effort would it take you to restore to the most recent backup state and change the user name/pass in question? My guess is that honest answers to these questions would probably point you to the conclusion that security won't be a big deal.

peace

Posted: Thu Jan 15, 2004 7:39 pm
by Straterra
aquila125 wrote:I suggest building your own login class.. Perhaps it's a lot of work, but you can use it in your next project...


Have the login page created through php and put in a hidden field a random generated number (or the current time) (save this number in the Session).. Have the user enter his password and with javascript create the md5 hash of the password, then add the random number from the hidden field and create the md5 hash of that combination.. save this information in the password field (overwriting the original password).. send it to the server.
On the server side, get the md5 hashed password from the database (flat file or whatever), add the random number and create the md5 hash of that combination.. compare with the one received from the form

This is pretty save.. when login succeeds, save the IP from the logged in user in your Session, and on each page check to see if the IP is still the same as the one used to login (security against session hacking)..

This should be pretty save.. use SSL and you have another layer of security..
The part about security against session hacking isn't true. I have know people who have found a way (by creating their own network adaptor apps) who can change their external IP to appear to be whatever they want it to be.

Posted: Thu Jan 15, 2004 8:00 pm
by ilovetoast
People can hijack sessions, brute force your passwords, install keyloggers on your client's machines, invade your office and steal your computer.

At some point you just have to say... Is that really going to happen? Maybe if you've got some uber-porn/warez site. If you have some everday business site -- not likely.

If you're really concerne:
Encypt your passwords and usernames at all times
Modify your passwords and usernames before storage
Use SSL.
Monitor Session IPs.
Monitor random user browser traits for Sessions

And when your paranoia gets the best of you:
Rotate passwords every week
Incorporate biometrics into the auth scheme
Layer htaccess passwords on top of your php passwords
Layer a javascript question on top of that
Require your users to use Macs only on Wed. evenings for access

At some point you will realize that security paranoia is just that, paranoia.

peace