I just started teaching myself PHP about a week ago and was suprised at how many people recommend hashing a password when using PHP. I thought that PHP was invisible to the recieving feature, ie. you cannot view the php code embedded in a website so even if you just use(pseudo code)
if($pass=='password')
/login.php
else
repeat
that will be invisible to the user. Therefore, using encryption, especially hashing algorithms, seems like a major waste of time, space, and processing power. Unless it is possible for someone to view your php script but that would mean that they also have server side access so they could view the password file as well.
Basically, to sum it all up, is there any valid reason to use hash encryption for a php site?
Why use a hash?
Moderator: General Moderators
It is not because someone could see the code.
Is you are saving passwords in database or any other place (what you probably will do), then you should always hash them before saving.
If you will save passwords just as they are, then administrator will be able to see them accessing the database (or if someone steals the database), then login as any user and impersonate (is this correct?, i need dictionary
) him.
Few weeks ago here was very interesting article from one of the forum members about password saving, hashing, etc.
search.php
Is you are saving passwords in database or any other place (what you probably will do), then you should always hash them before saving.
If you will save passwords just as they are, then administrator will be able to see them accessing the database (or if someone steals the database), then login as any user and impersonate (is this correct?, i need dictionary
Few weeks ago here was very interesting article from one of the forum members about password saving, hashing, etc.
search.php
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
The article is still in draft (I have yet to find time to work on it further) and it discusses mainly attack scenarios on stored passwords. The reader is expected to be familiar with password hashing, so you'd better first read something on the matter, for example this:
http://phpsec.org/articles/2005/password-hashing.html
The article itself is here: viewtopic.php?t=62782
Since after reading these you'll be a first-timer with hashing, I would love to hear and discuss whatever (if anything) that you had troubles understanding - so that I may clarify what needs to be explained in more detail.
http://phpsec.org/articles/2005/password-hashing.html
The article itself is here: viewtopic.php?t=62782
Since after reading these you'll be a first-timer with hashing, I would love to hear and discuss whatever (if anything) that you had troubles understanding - so that I may clarify what needs to be explained in more detail.
thanks
That helps, I am not new to hashing, I know what it is and how to beat it(it may be a one-way encryption but that doesn't mean it is infallible, getting plain text from a hash is really not that difficult depending on the methods and other features.) I understood the need for hashing in a truly secure environment such as OS passwords where the end user has hard-access to the files and folders, it just seems to me like hashing in PHP where the code is invisible would be like throwing a combination lock on the white house, sure it is more secure but it is really quite pointless. I look forward to reading the articles, however, and continuing to learn PHP
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
I will add, "Is it invisible in your code?" - No!superdezign wrote:Is it invisible in your database? No.
Even if you keep the secret hardcoded in your PHP code (which is inflexible and impractical if you want more than one user) can you absolutely, 100% guarantee that it would remain invisible? I have seen many examples of this not being true.