Page 1 of 1

Password security for my registration

Posted: Wed Aug 15, 2007 8:51 pm
by Doom87
Hello. On my registration page i have:

<input type="password" name="pass"> So that the password is masked

Then once the register button has been pressed i have this:

$md5pass = md5($_POST['pass']);

and the md5pass gets inserted into the database.


How secure would you say this is?

Re: Password security for my registration

Posted: Wed Aug 15, 2007 9:07 pm
by superdezign
Doom87 wrote:How secure would you say this is?
I'd say it is close to the bare minimum, but it *is* generally secure.

Posted: Wed Aug 15, 2007 9:23 pm
by Doom87
well do you have any suggesstions to make it more secure?

Posted: Wed Aug 15, 2007 9:35 pm
by Z3RO21
Well it is being hashed so if any exploit was passed it wold be hashed and then made null. However fields that do not get hashed (user names, e-mail, etc) needs more validation. Personally (as do many others on this forum, and for that fact anyone with common sense) I never trust anything from users and always validate. And a good tip also with user input is never directly output user data i.e.

Code: Select all

echo $_GET['foo'];
Search the forums there are tons of example of user input validation and registration logic. Hope this has helped

Posted: Wed Aug 15, 2007 9:58 pm
by The Phoenix
Doom87 wrote:well do you have any suggesstions to make it more secure?
Don't send the cleartext password - it can be sniffed. Hash the password in js prior to sending.

Salt the password, don't reuse salts, and if all else fails, run over ssl. :)

Posted: Thu Aug 16, 2007 5:38 am
by superdezign
ZERO's suggestion, in case it may have confused you, is in regards to security issues beyond your actual passwords (which you likely have, judging by your question).

Also, if you are unsure as to what a salt is (as Phoenix has described), it's text that you add to a password. This could be the same word every time, but it's more secure if you generate different salts per-user. We've had a few discussions on password security. You should search the forums. Mordred's post may prove useful.

Posted: Thu Aug 16, 2007 1:20 pm
by Z3RO21
superdezign wrote:ZERO's suggestion, in case it may have confused you, is in regards to security issues beyond your actual passwords (which you likely have, judging by your question).

Also, if you are unsure as to what a salt is (as Phoenix has described), it's text that you add to a password. This could be the same word every time, but it's more secure if you generate different salts per-user. We've had a few discussions on password security. You should search the forums. Mordred's post may prove useful.
You are good at clarification :D I was in a pinch for time. And yes salts and pre-hashing before sending that information are two very good points as well. There is a really good security tutorial by Mordred on these forums some where. It has a wealth of information. I will get it next time I am surfing the forums if no one else has the link that is.

Posted: Fri Aug 17, 2007 5:39 am
by Mordred
Here it is: viewtopic.php?t=62782, and in the comments you'll find linked a tutorial by Maugrim_The_Reaper on how to do client-side hashing for safer transport to the server, as The Phoenix suggested.