Page 1 of 1
Noob ?s: plain text pass and other security principles
Posted: Sun Jan 23, 2011 12:25 pm
by djsh823
Hello,
1) If there is a SHORT document that provides answers to these basic intro questions feel free to point me there, I am very much a PHP beginner.
2) If I have a php file that allows POST data to be sent to another file that has a password that access a database, wouldn't someone simply be able to read the source, find out what action php file it is and manually read this file's source from the browser (including my password)? What stops people from doing things like that? Putting the file out of the webroot? the permissions on the file? hashing the password?
3) Is there an easy way to hash plain text passwords so that they are not visible to text readers?
Thanks you!
jack
Re: Noob ?s: plain text pass and other security principles
Posted: Mon Jan 24, 2011 10:44 am
by social_experiment
djsh823 wrote:I am very much a PHP beginner.
Have a look at
w3schools.com.
djsh823 wrote:If I have a php file that allows POST data to be sent to another file that has a password that access a database, wouldn't someone simply be able to read the source, find out what action php file it is and manually read this file's source from the browser (including my password)? What stops people from doing things like that? Putting the file out of the webroot? the permissions on the file? hashing the password?
If the server you are using is correctly configured, files with the extension .php will be treated as a php document and no php code will be visible (even if you view the source of the page). I don't know if someone can view your password like that though (while you are busy at the terminal), it's more likely to be intercepted somewhere down the line, between you and the server.
djsh823 wrote:Is there an easy way to hash plain text passwords so that they are not visible to text readers?
To 'hash' the values (assuming this is still inline with your previous question) you would probably use javascript to hash before the values are sent to the server. Google HTTPS as well.
Re: Noob ?s: plain text pass and other security principles
Posted: Mon Jan 24, 2011 11:08 am
by djsh823
Thank you very much for your reply. As regards to the hash I was referring to maybe a function that would allow me to not put the the password to my database in a plain text file. Maybe just store the hash. Run an MD5 over it or something and just store that? I'm really don't know. I do know that if you browse a mysql database you can't see the passwords, you only see the hashes, I was wondering if something similar could happen in a .php file.
Re: Noob ?s: plain text pass and other security principles
Posted: Mon Jan 24, 2011 4:12 pm
by social_experiment
Yes there is something like that, hash(), it would be used as follows hash($algorithm, $data)
Re: Noob ?s: plain text pass and other security principles
Posted: Tue Jan 25, 2011 1:13 am
by Zyxist
Actually, a simply client-side hashing provides only a false security. What's the difference between capturing the plain-text password and capturing the hashed version? If you want to use it to log in the other person account, you simply send this captured hash instead of the password in a fake login request, and the system won't notice the difference. Some unique per-request token is the absolute minimum, but it won't protect us in all the cases, too.
Simply use SSL - this is the technology designed for the secure data transmissions. I doubt that you can beat the professional cryptography scientists with home-made ideas.
Re: Noob ?s: plain text pass and other security principles
Posted: Tue Jan 25, 2011 1:23 am
by djsh823
I don't think you understand. I am not worried about the capture (I agree ssl would be a must) so much as having my password in plain-text and having someone view the file by simple web access (though this point may be moot with the above no-viewing-of-php-source discussion). How is it different? Simple. With plain text, the intruder has my password, can try it on other websties, banks, etc. You can't input a password hash into a B of A login page.
Re: Noob ?s: plain text pass and other security principles
Posted: Tue Jan 25, 2011 10:51 am
by social_experiment
Zyxist wrote:Actually, a simply client-side hashing provides only a false security.
@djsh823 : I think the poster is refering to a hash using javascript, in your form, incase someone can view your source (still don't know if that's possible).
Re: Noob ?s: plain text pass and other security principles
Posted: Tue Jan 25, 2011 11:10 am
by djsh823
Yes. I'm not so concerned about that. I'm worried about this:
http://www.google.com/search?sourceid=c ... 9ac13308b3
If it wasn't a problem, it probably wouldn't be talked about as much.
Re: Noob ?s: plain text pass and other security principles
Posted: Tue Jan 25, 2011 4:20 pm
by social_experiment
Ok, i understand what you have in mind.
Read this url if you haven't already
http://stackoverflow.com/questions/5686 ... p-constant
Honestly i haven't thought about it because i (mistakenly) always assume my hosting provider will be on top of this (keeping the server 'healthy'). Error on my part.