Page 1 of 1

Password Security

Posted: Sat Nov 01, 2008 5:08 pm
by Syntac
What is the best way to store a username/password combination? Just setting the password as a cookie is a terrible idea, I know that. So my current system involves generating a random string (session id; SID for short) and storing it both client- and server-side. If they match, the user is authenticated. A new SID is generated on every login.

This is slightly more secure than the first method I mentioned, because the SID doesn't remain the same. But an attacker could still steal the username and SID cookies.

I'm thinking about implementing a system that stores a different SID for each username/IP combination. For instance: Bob, when logged in from 123.12.123.1, has the SID "8e34h9oi". When logged in from 234.23.234.2, he has "32ep54c1". This is still vulnerable to IP spoofing, though.

So what's the best way of doing this?

Re: Password Security

Posted: Sat Nov 01, 2008 5:19 pm
by s.dot
Hmm, I'm hoping you're storing the username and hashed passwords in a database?

Here's a few things to make it secure:

1. hash the password. (e.g. hash('sha256', $password);)
2. salt the password with a secret constant .. hash('sha256', $mySecretSalt . $password);
3. pepper the password with a user-specific string (stored in db, preferrably)... hash('sha256', $mySecretSalt . $password . $userSpecificPepper);
4. A username is half of the login equation. Why not make them login with email or something that's not displayed anywhere?
5. Session security.. create a fingerprint (hash digest of username, http request, browser, etc) of the user and check against it.
6. Forget the IP matching in your security routine :P

Re: Password Security

Posted: Sat Nov 01, 2008 5:36 pm
by Syntac
Thanks for the advice. #5 sounds particularly useful.

What do you think about a fresh SID being generated on every page load? (e.g. salting the fingerprint with a random string, then using the hash of that as the new SID)

Re: Password Security

Posted: Sun Nov 02, 2008 12:37 pm
by Mordred
What scottayy said. Except I'm not too hot on #5 - won't harm but won't help either. Your idea on regenerating the SID only makes sense after login, to prevent eventual session fixation. Otherwise it's useless. And anyway PHP has a mechanism for generating and regenerating SIDs. I guarantee you that you can't make a better one. So use the built-in one.

Here's a more elaborate explanation on the password storage problem:
viewtopic.php?f=34&t=62782