Password security for my registration

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Doom87
Forum Newbie
Posts: 3
Joined: Wed Aug 15, 2007 8:31 pm

Password security for my registration

Post by Doom87 »

Hello. On my registration page i have:

<input type="password" name="pass"> So that the password is masked

Then once the register button has been pressed i have this:

$md5pass = md5($_POST['pass']);

and the md5pass gets inserted into the database.


How secure would you say this is?
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Re: Password security for my registration

Post by superdezign »

Doom87 wrote:How secure would you say this is?
I'd say it is close to the bare minimum, but it *is* generally secure.
Doom87
Forum Newbie
Posts: 3
Joined: Wed Aug 15, 2007 8:31 pm

Post by Doom87 »

well do you have any suggesstions to make it more secure?
Z3RO21
Forum Contributor
Posts: 130
Joined: Thu Aug 17, 2006 8:59 am

Post by Z3RO21 »

Well it is being hashed so if any exploit was passed it wold be hashed and then made null. However fields that do not get hashed (user names, e-mail, etc) needs more validation. Personally (as do many others on this forum, and for that fact anyone with common sense) I never trust anything from users and always validate. And a good tip also with user input is never directly output user data i.e.

Code: Select all

echo $_GET['foo'];
Search the forums there are tons of example of user input validation and registration logic. Hope this has helped
User avatar
The Phoenix
Forum Contributor
Posts: 294
Joined: Fri Oct 06, 2006 8:12 pm

Post by The Phoenix »

Doom87 wrote:well do you have any suggesstions to make it more secure?
Don't send the cleartext password - it can be sniffed. Hash the password in js prior to sending.

Salt the password, don't reuse salts, and if all else fails, run over ssl. :)
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

ZERO's suggestion, in case it may have confused you, is in regards to security issues beyond your actual passwords (which you likely have, judging by your question).

Also, if you are unsure as to what a salt is (as Phoenix has described), it's text that you add to a password. This could be the same word every time, but it's more secure if you generate different salts per-user. We've had a few discussions on password security. You should search the forums. Mordred's post may prove useful.
Z3RO21
Forum Contributor
Posts: 130
Joined: Thu Aug 17, 2006 8:59 am

Post by Z3RO21 »

superdezign wrote:ZERO's suggestion, in case it may have confused you, is in regards to security issues beyond your actual passwords (which you likely have, judging by your question).

Also, if you are unsure as to what a salt is (as Phoenix has described), it's text that you add to a password. This could be the same word every time, but it's more secure if you generate different salts per-user. We've had a few discussions on password security. You should search the forums. Mordred's post may prove useful.
You are good at clarification :D I was in a pinch for time. And yes salts and pre-hashing before sending that information are two very good points as well. There is a really good security tutorial by Mordred on these forums some where. It has a wealth of information. I will get it next time I am surfing the forums if no one else has the link that is.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

Here it is: viewtopic.php?t=62782, and in the comments you'll find linked a tutorial by Maugrim_The_Reaper on how to do client-side hashing for safer transport to the server, as The Phoenix suggested.
Post Reply