I have completed an entry level programming class, so I do have some programming experience. I can at least grasp concepts that I am going to inquire.
How do you develop a secure username password authentication system?
Where do you store passwords on a web server? I am using godaddy hosting. If passwords are stored, unencrypted, aren't they able to be delved into by hackers? Does storing passwords in some type of file extension keep them secure? If I must encrypt data, how do I do this? I do not know any encryption methods or algorithms. Is there modules or functions available that have these methods.
How do I secure the password entry field so that one may not copy and paste the password onto the notepad or something similar. I am speaking from the user's standpoint not a hackers.
How do I assure that a user automatically logs out when the browser is closed?
If there are tutorials or guides readily available that answer these questions that would be a nice remedy. Also, this is my first post, so I am glad to become part of this forum and hope to help contribute after I do some learning.
Secure username password authentication?
Moderator: General Moderators
Re: Secure username password authentication?
Welcome to the wonderful world of programming!jv1023 wrote:I have completed an entry level programming class, so I do have some programming experience. I can at least grasp concepts that I am going to inquire.
There are many approaches and there's a ton of information as close to you as your keyboard. Take advantage of Google! For example, search for the terms PHP password authentication. You will find dozens of useful tutorials, far more help than you will get from posting in a forum. Forums are good for very specific questions, but not so good for broad understanding.jv1023 wrote: How do you develop a secure username password authentication system?
Usually in a database, such as MySQL or SQLite, both of which are available on godaddy.com, but for a small numbers of users, it could even be stored in a text file on the server. Yes, if you just store a password unencrypted, it is quite vulnerable. See my comments below. No, file extensions make no difference. You can use an .htaccess file to control access to a subdirectory, but that's not something you would normally do to protect passwords.jv1023 wrote: Where do you store passwords on a web server? I am using godaddy hosting. If passwords are stored, unencrypted, aren't they able to be delved into by hackers? Does storing passwords in some type of file extension keep them secure? If I must encrypt data, how do I do this? I do not know any encryption methods or algorithms. Is there modules or functions available that have these methods.
PHP has several built-in functions to make encryption and hashing very easy. Check out sha1(), md5(), crypt() in the manual:
http://be2.php.net/manual/en/function.sha1.php
http://be2.php.net/manual/en/function.md5.php
http://php.net/manual/en/function.crypt.php
For strong encryption, you'll want to learn about using "salt" and random numbers.
The trick is, you NEVER STORE A PASSWORD. You store a digest, or "hashed" version of the password. When the user logs in, you immediately hash their input and compare THAT to what is stored. Thus, it is impossible to recover the original password, either by a hacker or even the administrator.jv1023 wrote: How do I secure the password entry field so that one may not copy and paste the password onto the notepad or something similar. I am speaking from the user's standpoint not a hackers.
If you're talking about on the web form that the user sees, you want to use the HTML format:
Code: Select all
<input type='password' name='pwd' />You usually shouldn't worry about this, since re-opening the browser starts a new session anyway. Managing a login session after the browser is closed is rather difficult (I think it can be done with cookies, but I've never had a situation where this was important).jv1023 wrote: How do I assure that a user automatically logs out when the browser is closed?
Yes, as I said, the web is FILLED with such tutorials. A few of them are even good!jv1023 wrote: If there are tutorials or guides readily available that answer these questions that would be a nice remedy. Also, this is my first post, so I am glad to become part of this forum and hope to help contribute after I do some learning.
Good luck.
Re: Secure username password authentication?
Thank you califdon for the welcome, and I appreciate the help. I will check out google.
Re: Secure username password authentication?
This article contains a detailed overview of the related crypto.