Secure username password authentication?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
jv1023
Forum Newbie
Posts: 2
Joined: Thu Aug 04, 2011 12:11 am

Secure username password authentication?

Post by jv1023 »

I have completed an entry level programming class, so I do have some programming experience. I can at least grasp concepts that I am going to inquire.

How do you develop a secure username password authentication system?

Where do you store passwords on a web server? I am using godaddy hosting. If passwords are stored, unencrypted, aren't they able to be delved into by hackers? Does storing passwords in some type of file extension keep them secure? If I must encrypt data, how do I do this? I do not know any encryption methods or algorithms. Is there modules or functions available that have these methods.

How do I secure the password entry field so that one may not copy and paste the password onto the notepad or something similar. I am speaking from the user's standpoint not a hackers.

How do I assure that a user automatically logs out when the browser is closed?

If there are tutorials or guides readily available that answer these questions that would be a nice remedy. Also, this is my first post, so I am glad to become part of this forum and hope to help contribute after I do some learning.
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: Secure username password authentication?

Post by califdon »

jv1023 wrote:I have completed an entry level programming class, so I do have some programming experience. I can at least grasp concepts that I am going to inquire.
Welcome to the wonderful world of programming!
jv1023 wrote: How do you develop a secure username password authentication system?
There are many approaches and there's a ton of information as close to you as your keyboard. Take advantage of Google! For example, search for the terms PHP password authentication. You will find dozens of useful tutorials, far more help than you will get from posting in a forum. Forums are good for very specific questions, but not so good for broad understanding.
jv1023 wrote: Where do you store passwords on a web server? I am using godaddy hosting. If passwords are stored, unencrypted, aren't they able to be delved into by hackers? Does storing passwords in some type of file extension keep them secure? If I must encrypt data, how do I do this? I do not know any encryption methods or algorithms. Is there modules or functions available that have these methods.
Usually in a database, such as MySQL or SQLite, both of which are available on godaddy.com, but for a small numbers of users, it could even be stored in a text file on the server. Yes, if you just store a password unencrypted, it is quite vulnerable. See my comments below. No, file extensions make no difference. You can use an .htaccess file to control access to a subdirectory, but that's not something you would normally do to protect passwords.

PHP has several built-in functions to make encryption and hashing very easy. Check out sha1(), md5(), crypt() in the manual:
http://be2.php.net/manual/en/function.sha1.php
http://be2.php.net/manual/en/function.md5.php
http://php.net/manual/en/function.crypt.php

For strong encryption, you'll want to learn about using "salt" and random numbers.
jv1023 wrote: How do I secure the password entry field so that one may not copy and paste the password onto the notepad or something similar. I am speaking from the user's standpoint not a hackers.
The trick is, you NEVER STORE A PASSWORD. You store a digest, or "hashed" version of the password. When the user logs in, you immediately hash their input and compare THAT to what is stored. Thus, it is impossible to recover the original password, either by a hacker or even the administrator.

If you're talking about on the web form that the user sees, you want to use the HTML format:

Code: Select all

<input type='password' name='pwd' />
which automatically produces asterisks or big dots as the user keys in the password.
jv1023 wrote: How do I assure that a user automatically logs out when the browser is closed?
You usually shouldn't worry about this, since re-opening the browser starts a new session anyway. Managing a login session after the browser is closed is rather difficult (I think it can be done with cookies, but I've never had a situation where this was important).
jv1023 wrote: If there are tutorials or guides readily available that answer these questions that would be a nice remedy. Also, this is my first post, so I am glad to become part of this forum and hope to help contribute after I do some learning.
Yes, as I said, the web is FILLED with such tutorials. A few of them are even good! :) Google is your friend ! I recommend that you begin any search for tutorials with the language or software product you're using, followed by one or more words that narrow down the particular issue you want to learn about. Thus, you might search for javascript arrays or php headers or html forms tutorials or mysql joins. Adding the word 'tutorials' tends to filter out all the forum replies that mention the topic, but may not be at all comprehensive.

Good luck.
jv1023
Forum Newbie
Posts: 2
Joined: Thu Aug 04, 2011 12:11 am

Re: Secure username password authentication?

Post by jv1023 »

Thank you califdon for the welcome, and I appreciate the help. I will check out google.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Secure username password authentication?

Post by Mordred »

This article contains a detailed overview of the related crypto.
Post Reply