username/password encryption help.

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
phazorRise
Forum Contributor
Posts: 134
Joined: Mon Dec 27, 2010 7:58 am

username/password encryption help.

Post by phazorRise »

i've written code to store username and passwords in database. Usernames are stored as it is in string format. And passwords are hashed with a randomely generated integer of variable length.
Is this a good method to encrypt password from possible threat of rainbow tables and brute force attack ? Well i used sha1 for hashing the passwords.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: username/password encryption help.

Post by social_experiment »

phazorRise wrote:Well i used sha1 for hashing the passwords.
phazorRise wrote:And passwords are hashed with a randomely generated integer of variable length.
Is this a good method to encrypt password from possible threat of rainbow tables and brute force attack ?
It is a good idea to use a salt (and even a pepper). It's a better idea to have the hash that you store to be updated after each login with a new salt. The security section contains a few discussions about this specific topic
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
phazorRise
Forum Contributor
Posts: 134
Joined: Mon Dec 27, 2010 7:58 am

Re: username/password encryption help.

Post by phazorRise »

It's a better idea to have the hash that you store to be updated after each login with a new salt
Umm, i didn't get that. :?
This is what i'm doing right now -

Code: Select all

$data['key']=md5(rand(1000,99999));
$data['pass']=sha1($data['key'].$data['pass']);
So here, salt is md5($data['key']). What's the way you suggesting ? :?:
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: username/password encryption help.

Post by social_experiment »

phazorRise wrote:What's the way you suggesting ?
Assume the hash for a password is 1234 and the salt is 5678. If i log in with the correct details, a new salt is generated (0123) and after that, the new hash for the password will be 3456, so if my password hash was known (the 1234 hash), it is now changed, along with the salt. If this is already your method then you are on a better path.

Lastly, you should only use md5 for...nothing.
is+md5+broken%3F
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
phazorRise
Forum Contributor
Posts: 134
Joined: Mon Dec 27, 2010 7:58 am

Re: username/password encryption help.

Post by phazorRise »

yes, that would be better. :wink:
well i'm using md5 just to create hash out of some random number. I guess that's alright to use it here. ( :?: )
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: username/password encryption help.

Post by social_experiment »

phazorRise wrote:I guess that's alright to use it here.
Comes down to personal choice probably, if you are aware of the risks and you still use it then only you can be held responsible for any issues arising from the matter.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
phazorRise
Forum Contributor
Posts: 134
Joined: Mon Dec 27, 2010 7:58 am

Re: username/password encryption help.

Post by phazorRise »

well, after your previous post i did something like -

Code: Select all

$data['key']=str_rot13(sha1(rand(1000,99999)));
$data['pass']=hash(sha256,$data['key'].$data['pass']);
and also changing the salt after each login.
I'm aware of what might cause if i use just md5. So did i changed the code a bit. At first i was planning to use timestamp as salt but then i thought it'd be better if i use random number hash and as you suggested to be changed on each login will be safer. :)
Another thing i'm worried about is Cookies and sessions. They both needed to be handled carefully. Still finding the way. :banghead:
Edit : I guess, we can't do anythingelse apart from deciding where to store them and applying hashes.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: username/password encryption help.

Post by social_experiment »

Yes the problem wasn't with the method for creating the random token but rather with the hash used.
phazorRise wrote:Another thing i'm worried about is Cookies and sessions. They both needed to be handled carefully. Still finding the way.
Edit : I guess, we can't do anythingelse apart from deciding where to store them and applying hashes.
Cookies are the more difficult option of the two to secure and use securely; unless you use https but still the cookie can be viewed and possible even modified. Imo the easiest part of this chain to strengthen is where the checking is done to see if the cookie / session is indeed a valid one.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: username/password encryption help.

Post by Mordred »

Read the article in my sig, see if it answers something for you, ask again if there are more questions.
User avatar
phazorRise
Forum Contributor
Posts: 134
Joined: Mon Dec 27, 2010 7:58 am

Re: username/password encryption help.

Post by phazorRise »

Read the article in my sig, see if it answers
something for you, ask again if there are more
questions.
Thanks for link.
That's a wonderful post. Cleared most of doubts. I was not using pepper in my code so now i've added a strong pepper and i put it into separate file.
Thanks again.
Post Reply