User signup, best practice

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
MrKaizer
Forum Newbie
Posts: 2
Joined: Wed Aug 09, 2006 9:39 am

User signup, best practice

Post by MrKaizer »

I've read this very fine tutorial on authentication viewtopic.php?t=38810 by maugrim - and I've implemented is succesfully. No problems there. My concern is of the signup process.

Basically part of the princip of the authentication, as I understand it, is that neither password nor the hash of the password is send, so replay attacks cannot be performed. The user sends sha(user:sha(pass):server-challenge). However if an attacker sniffed sha(pass) (or a plain-text pass) during registration he could easily create such an reply to the server (I guess?) - he would have the user and sha(pass) from the signup, and the server-challenge is sent with the login-form. It wouldn't take the five minutes till timeout for the attacker to assemble sha(user:sha(pass):server-challenge)?

Is this an unavoidable risc, are the some measurements that can be made to reduce the risc or have I misunderstood something, so it is not really a risk at all? Or maybe there is a better way than the obvious to do registration, which I haven't thought of at all?

Security is important to me, however signing up and logging in shouldn't require all too many steps, if unavoidable..

Thanks in advance.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

SSL.
MrKaizer
Forum Newbie
Posts: 2
Joined: Wed Aug 09, 2006 9:39 am

Post by MrKaizer »

Alright thanks, I'll consider that.
Post Reply