Moderator: General Moderators
i have a login page which is connected with a mysql database table called tbl_user.
Basically two fields :
user_name & pass_word.
Assume i have saved a user name called 'ABC' & my password is 'aBc123'.
The password should be case sensitive.
When i log in to the system i enter my user name 'ABC' & type my password as 'aBc123'.
But the problem is i can log in to the system when i enter 'abc123'.But my real password is 'aBc123'.So my guess is that the password should be case sensitive.
My server is:Apache/2.2.17 (Fedora)
PHP Version 5.3.6
You should NEVER store a password anywhere. Only a hash, for example:
Code: Select all
$s = hash( 'sha512' , $password.'RaNd0mSaLt-378x16y49' );
You could but you shouldn't. As per Apollo's example, use a stronger hash algorithm, at least sha512.Gopesh wrote:Hi,U can use md5 also for encrypting the password
md5 hashes, it doesnt encrypt. Encryption implies the result can then be decrypted.Gopesh wrote:Hi,U can use md5 also for encrypting the password....Never store raw password in database.Hope that it helps..
To reiterate what social experiment said, md5 hashing is not suitable for passwords. Use a stronger algorithm!
social_experiment wrote:use a stronger hash algorithm
and append a so cakked 'salt' string before hashing, to avoid rainbow table attacks. And preferably (unlike illustrated in my simple example) a salt string that is unique per user, sometimes referred to as 'pepper'. This reduces any brute force attempts to single passwords only (instead of all passwords at once), and avoids revealing identical passwords being used by different users.flying_circus wrote:Use a stronger algorithm!
Never store a password AT ALL - not raw, not cooked, not encrypted, not in chinese.Gopesh wrote:Never store raw password in database.Hope that it helps..
Hashing is, unlike encrypting (or translating into chinese for that matter) a destructive, one-way operation. The original input is lost. Which is what you want here!
The hash of a password is by no means reversible back into the original password. Two equal hashes (one stored in database, one calculated from whatever was entered in your login form) guarantee* that the password was correct, without revealing anything about the actual password itself.
(* although there's never 100% certainty in life, the probability of two different strings resulting in the same hash, is about the same magnitude as some bits being flipped in your server's memory by cosmic rays allowing a user to login with a random password - that is, completely neglectable)
Knowledge is power and by knowing more the forum members can help moreunplugme71 wrote:Never post what algorithm you are using either!
As everyone has been saying, hash passwords before storing. Then when the user enters a password into your form, this is then hashed and COMPARED with the stored hash. Hashes are case-sensitive, as your original requirement stated.
Check out Mordred's tutorial:
unplugme71 wrote:Never post what algorithm you are using either!
It's still "security through obscurity". I would prefer to post my algorithm here and get security fixes as fast as possible by using posts from other membersunplugme71 wrote:and also have to worry about security with malicious people lurking the boards