How secure is this

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
shiflett
Forum Contributor
Posts: 124
Joined: Sun Feb 06, 2005 11:22 am

Post by shiflett »

php_wiz_kid wrote:Devnetwork says our best bet is using the crypt() function.
I'm not sure how you can claim that you're not trying to speak for anybody when you clearly are. Others are justified in chiding you for this.

Regardless, this is a very poor suggestion.

Basically, because of recent discoveries regarding the MD5 algorithm, you're suggesting that everyone return to DES, an algorithm that was broken nearly a decade ago. You really think this is a good idea?

Even the book Cracking DES was published in 1998.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

On an unrelated note:
They could be guessing people's passwords, although that seems a bit unlikely. =/
Actually, it's very likely. Remember, in any fairly secure system, the user is often the weakest link.

Sorry, it's a bit out of nowhere post.
RaH
Forum Newbie
Posts: 2
Joined: Fri Nov 25, 2005 12:51 pm

Post by RaH »

I know I'm very late on this, but I have a few questions.

You never mentioned what avenue you thought they were using to gain access. Why would you first look at your login?
If it is your login are you sure they are not using the old ' OR '' = ' s?

Is it possible that they are using injection somewhere else to actually read your database and it just so happened that these two accounts had very weak passwords? Is it possible that these two accounts passwords were just guessed?

Other than a monkey in the middle attack or an attacker using XSS on your users, the script looks solid.
Amuro Hajime
Forum Newbie
Posts: 2
Joined: Thu Oct 19, 2006 8:05 pm

automatic salt for crypt

Post by Amuro Hajime »

I currently use the crypt() function set to MD5 without a salt. I am kind of confused at the moment because when I read the php.net entry for crypt() it says:
If the salt argument is not provided, one will be randomly generated by PHP each time you call this function.
So when I go: $hash = crypt("mypassword");

Is that the same as using md5 with a salt (if crypt was set to use MD5)? I don't want to get into a debate on how secure MD5 is but I would like to use a salt with it and it seems that if PHP is randomly generating one in crypt() then that would be more secure then me having a $salt variable that I defined lying around for someone to look at when they hack my site.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Thread necromancy is a definate no no :wink:

Please start a new thread, and if need be, reference this thread with a link.

Thread locked.
Locked