case sensitivity in a Password
Moderator: General Moderators
case sensitivity in a Password
Hi,
i have a login page which is connected with a mysql database table called tbl_user.
Basically two fields :
user_name & pass_word.
Assume i have saved a user name called 'ABC' & my password is 'aBc123'.
The password should be case sensitive.
When i log in to the system i enter my user name 'ABC' & type my password as 'aBc123'.
But the problem is i can log in to the system when i enter 'abc123'.But my real password is 'aBc123'.So my guess is that the password should be case sensitive.
My server is:Apache/2.2.17 (Fedora)
PHP Version 5.3.6
mysql 5.1.56
i have a login page which is connected with a mysql database table called tbl_user.
Basically two fields :
user_name & pass_word.
Assume i have saved a user name called 'ABC' & my password is 'aBc123'.
The password should be case sensitive.
When i log in to the system i enter my user name 'ABC' & type my password as 'aBc123'.
But the problem is i can log in to the system when i enter 'abc123'.But my real password is 'aBc123'.So my guess is that the password should be case sensitive.
My server is:Apache/2.2.17 (Fedora)
PHP Version 5.3.6
mysql 5.1.56
Re: case sensitivity in a Password
Sounds like you're comparing the password entered in the login form with the password stored in your database (implicitly using some case insensitive collation). WRONG.
You should NEVER store a password anywhere. Only a hash, for example:
And only store (and compare against) this hash string $s.
You should NEVER store a password anywhere. Only a hash, for example:
Code: Select all
$s = hash( 'sha512' , $password.'RaNd0mSaLt-378x16y49' ); Re: case sensitivity in a Password
Hi,U can use md5 also for encrypting the password....Never store raw password in database.Hope that it helps..
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: case sensitivity in a Password
You could but you shouldn't. As per Apollo's example, use a stronger hash algorithm, at least sha512.Gopesh wrote:Hi,U can use md5 also for encrypting the password
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
- flying_circus
- Forum Regular
- Posts: 732
- Joined: Wed Mar 05, 2008 10:23 pm
- Location: Sunriver, OR
Re: case sensitivity in a Password
md5 hashes, it doesnt encrypt. Encryption implies the result can then be decrypted.Gopesh wrote:Hi,U can use md5 also for encrypting the password....Never store raw password in database.Hope that it helps..
To reiterate what social experiment said, md5 hashing is not suitable for passwords. Use a stronger algorithm!
Re: case sensitivity in a Password
social_experiment wrote:use a stronger hash algorithm
and append a so cakked 'salt' string before hashing, to avoid rainbow table attacks. And preferably (unlike illustrated in my simple example) a salt string that is unique per user, sometimes referred to as 'pepper'. This reduces any brute force attempts to single passwords only (instead of all passwords at once), and avoids revealing identical passwords being used by different users.flying_circus wrote:Use a stronger algorithm!
Re: case sensitivity in a Password
Probably clear by now, but just to emphasize the point,
Hashing is, unlike encrypting (or translating into chinese for that matter) a destructive, one-way operation. The original input is lost. Which is what you want here!
The hash of a password is by no means reversible back into the original password. Two equal hashes (one stored in database, one calculated from whatever was entered in your login form) guarantee* that the password was correct, without revealing anything about the actual password itself.
(* although there's never 100% certainty in life, the probability of two different strings resulting in the same hash, is about the same magnitude as some bits being flipped in your server's memory by cosmic rays allowing a user to login with a random password - that is, completely neglectable)
Never store a password AT ALL - not raw, not cooked, not encrypted, not in chinese.Gopesh wrote:Never store raw password in database.Hope that it helps..
Hashing is, unlike encrypting (or translating into chinese for that matter) a destructive, one-way operation. The original input is lost. Which is what you want here!
The hash of a password is by no means reversible back into the original password. Two equal hashes (one stored in database, one calculated from whatever was entered in your login form) guarantee* that the password was correct, without revealing anything about the actual password itself.
(* although there's never 100% certainty in life, the probability of two different strings resulting in the same hash, is about the same magnitude as some bits being flipped in your server's memory by cosmic rays allowing a user to login with a random password - that is, completely neglectable)
-
unplugme71
- Forum Newbie
- Posts: 13
- Joined: Wed Jul 13, 2011 2:39 pm
Re: case sensitivity in a Password
Never post what algorithm you are using either!
But yes, use a sha256 or sha512 - just make sure the column supports the proper width (eg. 64)
But yes, use a sha256 or sha512 - just make sure the column supports the proper width (eg. 64)
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: case sensitivity in a Password
Knowledge is power and by knowing more the forum members can help moreunplugme71 wrote:Never post what algorithm you are using either!
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
-
unplugme71
- Forum Newbie
- Posts: 13
- Joined: Wed Jul 13, 2011 2:39 pm
Re: case sensitivity in a Password
and also have to worry about security with malicious people lurking the boards
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: case sensitivity in a Password
Mentioning hash lengths should also be taboo then 
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Re: case sensitivity in a Password
If you know the algorithm being used, you know the length.
As everyone has been saying, hash passwords before storing. Then when the user enters a password into your form, this is then hashed and COMPARED with the stored hash. Hashes are case-sensitive, as your original requirement stated.
Check out Mordred's tutorial:
viewtopic.php?t=62782
As everyone has been saying, hash passwords before storing. Then when the user enters a password into your form, this is then hashed and COMPARED with the stored hash. Hashes are case-sensitive, as your original requirement stated.
Check out Mordred's tutorial:
viewtopic.php?t=62782
Re: case sensitivity in a Password
unplugme71 wrote:Never post what algorithm you are using either!
It's still "security through obscurity". I would prefer to post my algorithm here and get security fixes as fast as possible by using posts from other membersunplugme71 wrote:and also have to worry about security with malicious people lurking the boards
There are 10 types of people in this world, those who understand binary and those who don't