Valhalla Legends Forums Archive | Web Development | Web Security

AuthorMessageTime
FrostWraith
Hi everyone.

I just got hired for a new web design job and wanted your input for the best secure login system. In the past I have just mainly used php sessions/cookies.  I would prefer any tips to be for php, but I am happy for any input.  Also, how and where is the best place to store passwords. I traditionally have always md5ed them and stored them in a MySQL database.

Thanks
October 14, 2006, 8:41 PM
Quarantine
That's usually what I do (in a nutshell) you're going to need to get a teeny bit less general in what you're looking for.
October 14, 2006, 9:41 PM
rabbit
Hmm..use sha1, not md5.  It's just a different function name, and is a lot harder to collide.
October 14, 2006, 10:58 PM
indulgence
You definately want to store the passwords as a stronger hash (SHA-1 or better), why not MD5? http://www.gdataonline.com/

Also, cookies are fine.  But you will want to secure your users from XSS or CSFR attacks.  If there is any action that modifies their account in any way - think about requiring user interaction (CAPTCHA?).  And be sure to sanitize any user input strings. (Definately want to encode <> to say the least)

Its amazing what kind of vulnerabilities are out there....
November 16, 2006, 5:57 AM
CrAzY
There is more to security than password encryptions...  Try making you registration file secure by using Email confirmation, IP Address logging, etc...  Be sure that you include a minimal length on the password such as... 5.  I would also think about setting up some sort of log that is stored in MySQL of login attempts; so you can limit the trials of logging into the account (to prevent brute-forcers.)  Also be sure there is no loose holes in you actual site where some user could implement their code to inject data into you SQL db. 

Thats all I can think of off the top of my head...
November 17, 2006, 1:46 AM
St0rm.iD
Just because you hashed the password in the database doesn't mean it isn't vulnerable to common password attacks. Lots of times, if your database gets hijacked, one can precompute the hashes of many common passwords and bruteforce them. Use a salted SHA-1 to reduce these attacks (essentially append a random string at the end of the password before hashing it, and store that string in the database).
March 17, 2007, 12:56 AM
Barabajagal
Personally, I'm a fan of a fun technique. use an XOR encryption to encrypt the password using the username as the key. then SHA-256 hash the result of that.
March 17, 2007, 1:22 AM
Ersan
A salted md5 or (if you must) sha1 hash is more than adequate...  Salting renders rainbow attacks innefective.  If someone's gained access to your database you probably have more important things to worry about than stolen passwords that will take ages to bruteforce.
March 18, 2007, 11:50 AM
Networks
[quote author=Ersan link=topic=15872.msg166878#msg166878 date=1174218655]
A salted md5 or (if you must) sha1 hash is more than adequate...  Salting renders rainbow attacks innefective.  If someone's gained access to your database you probably have more important things to worry about than stolen passwords that will take ages to bruteforce.
[/quote]

I second this, always salt your hashes and certainly do IP session checks in your cookies to prevent XSS and use tokens in your forms to prevent CSRF. Always escape your SQL queries, I might advise you to use a MySQL escaping wrapper if you can so for future projects this is a trivial thing to worry about.

My .02 cents.
March 21, 2007, 9:43 PM
St0rm.iD
why does everyone ignore me
March 23, 2007, 11:51 PM
Ersan
I was just responding to realityripple's post...
March 24, 2007, 6:42 AM
Networks
[quote author=Banana fanna fo fanna link=topic=15872.msg166835#msg166835 date=1174092997]
Just because you hashed the password in the database doesn't mean it isn't vulnerable to common password attacks. Lots of times, if your database gets hijacked, one can precompute the hashes of many common passwords and bruteforce them. Use a salted SHA-1 to reduce these attacks (essentially append a random string at the end of the password before hashing it, and store that string in the database).
[/quote]

If you appended a randomized string, how could you compare the hash later?
March 24, 2007, 11:02 PM
Topaz
LOL.
March 25, 2007, 12:06 AM
Ersan
[quote author=Banana fanna fo fanna link=topic=15872.msg166835#msg166835 date=1174092997]
and store that string in the database
[/quote]
March 25, 2007, 12:15 PM
Networks
[quote author=Ersan link=topic=15872.msg167228#msg167228 date=1174824940]
[quote author=Banana fanna fo fanna link=topic=15872.msg166835#msg166835 date=1174092997]
and store that string in the database
[/quote]
[/quote]

Wow, completely missed that part. eh I think you're set without that kind of overhead honestly. I'd worry about actually hardening your code first.
March 25, 2007, 11:50 PM

Search