case sensitivity in a Password

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
ishakya
Forum Commoner
Posts: 40
Joined: Tue Jan 04, 2011 4:58 am

case sensitivity in a Password

Post by ishakya »

Hi,
i have a login page which is connected with a mysql database table called tbl_user.
Basically two fields :
user_name & pass_word.
Assume i have saved a user name called 'ABC' & my password is 'aBc123'.
The password should be case sensitive.
When i log in to the system i enter my user name 'ABC' & type my password as 'aBc123'.
But the problem is i can log in to the system when i enter 'abc123'.But my real password is 'aBc123'.So my guess is that the password should be case sensitive.

My server is:Apache/2.2.17 (Fedora)
PHP Version 5.3.6
mysql 5.1.56
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: case sensitivity in a Password

Post by Apollo »

Sounds like you're comparing the password entered in the login form with the password stored in your database (implicitly using some case insensitive collation). WRONG.

You should NEVER store a password anywhere. Only a hash, for example:

Code: Select all

$s = hash( 'sha512' , $password.'RaNd0mSaLt-378x16y49' ); 
And only store (and compare against) this hash string $s.
Gopesh
Forum Contributor
Posts: 143
Joined: Fri Dec 24, 2010 12:48 am
Location: India

Re: case sensitivity in a Password

Post by Gopesh »

Hi,U can use md5 also for encrypting the password....Never store raw password in database.Hope that it helps..
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: case sensitivity in a Password

Post by social_experiment »

Gopesh wrote:Hi,U can use md5 also for encrypting the password
You could but you shouldn't. As per Apollo's example, use a stronger hash algorithm, at least sha512.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: case sensitivity in a Password

Post by flying_circus »

Gopesh wrote:Hi,U can use md5 also for encrypting the password....Never store raw password in database.Hope that it helps..
md5 hashes, it doesnt encrypt. Encryption implies the result can then be decrypted.

To reiterate what social experiment said, md5 hashing is not suitable for passwords. Use a stronger algorithm!
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: case sensitivity in a Password

Post by Apollo »

social_experiment wrote:use a stronger hash algorithm
flying_circus wrote:Use a stronger algorithm!
and append a so cakked 'salt' string before hashing, to avoid rainbow table attacks. And preferably (unlike illustrated in my simple example) a salt string that is unique per user, sometimes referred to as 'pepper'. This reduces any brute force attempts to single passwords only (instead of all passwords at once), and avoids revealing identical passwords being used by different users.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: case sensitivity in a Password

Post by Apollo »

Probably clear by now, but just to emphasize the point,
Gopesh wrote:Never store raw password in database.Hope that it helps..
Never store a password AT ALL - not raw, not cooked, not encrypted, not in chinese.

Hashing is, unlike encrypting (or translating into chinese for that matter) a destructive, one-way operation. The original input is lost. Which is what you want here!
The hash of a password is by no means reversible back into the original password. Two equal hashes (one stored in database, one calculated from whatever was entered in your login form) guarantee* that the password was correct, without revealing anything about the actual password itself.

(* although there's never 100% certainty in life, the probability of two different strings resulting in the same hash, is about the same magnitude as some bits being flipped in your server's memory by cosmic rays allowing a user to login with a random password - that is, completely neglectable)
unplugme71
Forum Newbie
Posts: 13
Joined: Wed Jul 13, 2011 2:39 pm

Re: case sensitivity in a Password

Post by unplugme71 »

Never post what algorithm you are using either!

But yes, use a sha256 or sha512 - just make sure the column supports the proper width (eg. 64)
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: case sensitivity in a Password

Post by social_experiment »

unplugme71 wrote:Never post what algorithm you are using either!
Knowledge is power and by knowing more the forum members can help more
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
unplugme71
Forum Newbie
Posts: 13
Joined: Wed Jul 13, 2011 2:39 pm

Re: case sensitivity in a Password

Post by unplugme71 »

and also have to worry about security with malicious people lurking the boards
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: case sensitivity in a Password

Post by social_experiment »

Mentioning hash lengths should also be taboo then ;)
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
timWebUK
Forum Contributor
Posts: 239
Joined: Thu Oct 29, 2009 6:48 am
Location: UK

Re: case sensitivity in a Password

Post by timWebUK »

If you know the algorithm being used, you know the length.

As everyone has been saying, hash passwords before storing. Then when the user enters a password into your form, this is then hashed and COMPARED with the stored hash. Hashes are case-sensitive, as your original requirement stated.

Check out Mordred's tutorial:

viewtopic.php?t=62782
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: case sensitivity in a Password

Post by VladSun »

unplugme71 wrote:Never post what algorithm you are using either!
unplugme71 wrote:and also have to worry about security with malicious people lurking the boards
It's still "security through obscurity". I would prefer to post my algorithm here and get security fixes as fast as possible by using posts from other members :)
There are 10 types of people in this world, those who understand binary and those who don't
Post Reply