Password Security

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
Syntac
Forum Contributor
Posts: 327
Joined: Sun Sep 14, 2008 7:59 pm

Password Security

Post by Syntac »

What is the best way to store a username/password combination? Just setting the password as a cookie is a terrible idea, I know that. So my current system involves generating a random string (session id; SID for short) and storing it both client- and server-side. If they match, the user is authenticated. A new SID is generated on every login.

This is slightly more secure than the first method I mentioned, because the SID doesn't remain the same. But an attacker could still steal the username and SID cookies.

I'm thinking about implementing a system that stores a different SID for each username/IP combination. For instance: Bob, when logged in from 123.12.123.1, has the SID "8e34h9oi". When logged in from 234.23.234.2, he has "32ep54c1". This is still vulnerable to IP spoofing, though.

So what's the best way of doing this?
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Re: Password Security

Post by s.dot »

Hmm, I'm hoping you're storing the username and hashed passwords in a database?

Here's a few things to make it secure:

1. hash the password. (e.g. hash('sha256', $password);)
2. salt the password with a secret constant .. hash('sha256', $mySecretSalt . $password);
3. pepper the password with a user-specific string (stored in db, preferrably)... hash('sha256', $mySecretSalt . $password . $userSpecificPepper);
4. A username is half of the login equation. Why not make them login with email or something that's not displayed anywhere?
5. Session security.. create a fingerprint (hash digest of username, http request, browser, etc) of the user and check against it.
6. Forget the IP matching in your security routine :P
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
Syntac
Forum Contributor
Posts: 327
Joined: Sun Sep 14, 2008 7:59 pm

Re: Password Security

Post by Syntac »

Thanks for the advice. #5 sounds particularly useful.

What do you think about a fresh SID being generated on every page load? (e.g. salting the fingerprint with a random string, then using the hash of that as the new SID)
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Password Security

Post by Mordred »

What scottayy said. Except I'm not too hot on #5 - won't harm but won't help either. Your idea on regenerating the SID only makes sense after login, to prevent eventual session fixation. Otherwise it's useless. And anyway PHP has a mechanism for generating and regenerating SIDs. I guarantee you that you can't make a better one. So use the built-in one.

Here's a more elaborate explanation on the password storage problem:
viewtopic.php?f=34&t=62782
Post Reply