MD5'ing Passwords

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Bigun
Forum Contributor
Posts: 237
Joined: Tue Jun 13, 2006 10:50 am

MD5'ing Passwords

Post by Bigun »

I'm storing the user's passwords in a MySQL database.

Is it really all that secure and/or necessary to MD5 the passwords? Or is it perfectly safe to leave them in plain text?
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

What if someone gained access to your server? --or-- what if a disgruntled employer/partner/developer/whatever opened up the database and stole a bunch of passwords? Atleast if you have them encrypted they are relatively safe from being stolen.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

hashing them will ensure that if somebody does get into your database, they won't know all your user's passwords. If that is what you are asking.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

I think the security of hashed passwords comes from interaction between the script and the data source. If someone actually gets into your database, there is nothing to stop them from running a simple ...

Code: Select all

UPDATE `users` SET `password` = 1
... and changing everyones password to 1 (or some other arbitrary value). I think the hashing has more practical security application in the passing of data between the script and the database. If someone did change passwords in the database, but the code is still checking an MD5 (or some other hashed value), then passing a 1 through the script will fail, unless the hacker enters this ...

Code: Select all

UPDATE `users` SET `password` = MD5('1')
... but even this will cause a failure if your hashing mechanism is not a common hash application like MD5 or SHA1.

Just my opinion.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

At that point you'll notice something has gone wrong and your server has been hijacked.. however.. if you have the passwords plaintext the theif will remain undetected. Even still, what if someone walking by your computer happens to glance over at your screen with phpmyadmin open and quickly jots down the user/pass..?
Bigun
Forum Contributor
Posts: 237
Joined: Tue Jun 13, 2006 10:50 am

Post by Bigun »

Direct access to the raw code and to the MySQL database will be limited to me and me only.

However, the disgruntled employee making all the account's password set to one will be difficult, seeing as how the interface I'm giving them will only be able to set one account at a time.
Bigun
Forum Contributor
Posts: 237
Joined: Tue Jun 13, 2006 10:50 am

Post by Bigun »

Jcart wrote:At that point you'll notice something has gone wrong and your server has been hijacked.. however.. if you have the passwords plaintext the theif will remain undetected. Even still, what if someone walking by your computer happens to glance over at your screen with phpmyadmin open and quickly jots down the user/pass..?
Unlikely... seeing as everything is done remotely and no passwords are saved on my browser..... and I have an over 30 character password.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Not to sound harsh, but what is your beef with not using md5? Perhaps you may never have a problem, but perhaps you may.. and at that point you can hit your head on the desk asking yourself why you didn't encrypt the passwords when you found out that several user's accounts have been hijacked (including your own) :wink:
Bigun
Forum Contributor
Posts: 237
Joined: Tue Jun 13, 2006 10:50 am

Post by Bigun »

Just less fuss and muss.

I have no beef particularly, but if the only real gain in doing so is safeguarding from direct access in PHPMySQL, then I see no need in it, besides, I can always implement it later.
User avatar
daedalus__
DevNet Resident
Posts: 1925
Joined: Thu Feb 09, 2006 4:52 pm

Post by daedalus__ »

It takes about 5 characters to hash your passwords.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

IMO, not hashing the passwords in a database is irresponsible and downright lazy. Why wouldn't somebody do it? It takes one extra function. It's not like customers are going to care if you have to reset their password when THEY forget it. I can't think of one reason not to hash the passwords.
Bigun
Forum Contributor
Posts: 237
Joined: Tue Jun 13, 2006 10:50 am

Post by Bigun »

So the overall vote... is yes.... do it..?

Alrighty...

*begins to chop code*
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

It doesn't take a whole lot... just wrap all of your password checks in sha1() or sha256() (feyd's script - not a standard PHP function)
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

You need to update the database as well as the code base. The database needs to be updated for all users so that there current password becomes MD5('pasword') so that when the code checks if (md5($_POST['password']) == $row['password']) it evaluate properly. Otherwise none of your users are going to get in.

PS Yes, you should hash your passwords. It adds a small amount of security to your data and your code, which always makes users feel more comfortable about using your site.
Bigun
Forum Contributor
Posts: 237
Joined: Tue Jun 13, 2006 10:50 am

Post by Bigun »

All done and works....

Thanks guys
Post Reply