Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 10 of 10
  1. #1
    Regular Coder
    Join Date
    Nov 2002
    Posts
    567
    Thanks
    2
    Thanked 4 Times in 4 Posts

    Understanding Security Issues

    I am designing a web site, and for the first time, in PHP. In no case have I ever had to worry about security until now. So I not only have a basic understanding of the need, I have no experience with the functions and storage of encrypted data.

    When a user logs into a system their password is passed to the server in clear text. If that is not the case then how does the local system encrypt the password before it is sent to the server if there is no code running on the users computer to do the encryption?

    Once on the server the PHP code will MD5 or SHA-1 or use some other method to encrypt the password. Did I read correctly that a MD5 result is always 32 bytes? Or was it 32 characters?

    Sending the password back to the user for whatever reason will require decrypting before it is sent, so once again the password is traveling in clear text.

    Can someone explain to me how security is supposed to work?
    Scott Stewart
    Always happy to learn from pros.

  • #2
    ess
    ess is offline
    Regular Coder
    Join Date
    Oct 2006
    Location
    United Kingdom
    Posts
    866
    Thanks
    7
    Thanked 30 Times in 29 Posts
    You are right in regard to users entering their user name and password in plain text over HTTP protocol.

    Having said that though, you can use TLS or SSL when users are entering their details over HTTP...which would encrypt data before it is sent to your website. If you haven't come across TLS/SSL before, here is a good introduction to TLS/SSL and how it works
    http://en.wikipedia.org/wiki/Transport_Layer_Security

    As for MD5 and Sha-1, there are referred to as Message Digest Algorithm or Hash...which works differently to other cryptographic standards....as they are one way only. Here is another URL that you should have a look at:
    http://en.wikipedia.org/wiki/MD5

    Usually, developers would store user's passwords in database in hashed format with a salt value. This is done to prevent other users who have access to the database (i.e. people who are maintaining your database, or internal staff) from seeing the users details in plain text...where they might use this information to pretend that they are that user or something along those lines.

    As for sending lost passwords to user's emails...well, I wouldn't advice you to do that...as you probably aware....emails themselves are not 100% secure...and as a result, sending lost passwords to email addresses is not a good solution in my opinion.

    Most companies would send an email with a URL when users want to reset their passwords. That URL will be active for a couple of hours...where the user must visit that URL...and will be prompted with questions only that user should know the answer to.

    There are many open source solutions that you can use for this purpose. Here are a couple of URLs that might be useful as a starting point

    http://www.evolt.org/article/PHP_Log...384/index.html

    http://www.devshed.com/c/a/PHP/Creat...-Login-Script/

    Cheers,
    Ess

  • #3
    Regular Coder
    Join Date
    Mar 2006
    Posts
    187
    Thanks
    5
    Thanked 0 Times in 0 Posts
    Im no pro ;-) but you cannot decript MD5, if you encrypt a password using MD5, and want to ensure that a user has entered the correct password, you need to encript the password using MD5 and compair the two resualts.

    To transfer data to your php page encripted, the easiest and best way would be to use a SSL (Secure Socket Layer) connection. You could use javascript, but if the encryption was reversable, this would still be able to be intercepted on its way to the server! (sorry, but i dont know the proper lingo, lol)

  • #4
    Regular Coder
    Join Date
    Mar 2006
    Posts
    187
    Thanks
    5
    Thanked 0 Times in 0 Posts
    and yeah MD5 always outputs 32bytes

  • #5
    Regular Coder
    Join Date
    Mar 2006
    Posts
    187
    Thanks
    5
    Thanked 0 Times in 0 Posts
    whats a salt value?

    Quote Originally Posted by ess View Post
    You are right in regard to users entering their user name and password in plain text over HTTP protocol.

    Having said that though, you can use TLS or SSL when users are entering their details over HTTP...which would encrypt data before it is sent to your website. If you haven't come across TLS/SSL before, here is a good introduction to TLS/SSL and how it works
    http://en.wikipedia.org/wiki/Transport_Layer_Security

    As for MD5 and Sha-1, there are referred to as Message Digest Algorithm or Hash...which works differently to other cryptographic standards....as they are one way only. Here is another URL that you should have a look at:
    http://en.wikipedia.org/wiki/MD5

    Usually, developers would store user's passwords in database in hashed format with a salt value. This is done to prevent other users who have access to the database (i.e. people who are maintaining your database, or internal staff) from seeing the users details in plain text...where they might use this information to pretend that they are that user or something along those lines.

    As for sending lost passwords to user's emails...well, I wouldn't advice you to do that...as you probably aware....emails themselves are not 100% secure...and as a result, sending lost passwords to email addresses is not a good solution in my opinion.

    Most companies would send an email with a URL when users want to reset their passwords. That URL will be active for a couple of hours...where the user must visit that URL...and will be prompted with questions only that user should know the answer to.

    There are many open source solutions that you can use for this purpose. Here are a couple of URLs that might be useful as a starting point

    http://www.evolt.org/article/PHP_Log...384/index.html

    http://www.devshed.com/c/a/PHP/Creat...-Login-Script/

    Cheers,
    Ess

  • #6
    ess
    ess is offline
    Regular Coder
    Join Date
    Oct 2006
    Location
    United Kingdom
    Posts
    866
    Thanks
    7
    Thanked 30 Times in 29 Posts
    A salt value is a unique random value generated on the fly before encrypting a string.

    http://en.wikipedia.org/wiki/Salt_(cryptography)

    For example, say that you have three users on your website, two of them, Bob and John, use exactly the same password...but none of them knew that they did. The password is 123pas45wrd. If one of your staff or one of the people maintaining your database, knew the password that John uses, then they could execute a select statement equal to John's password. That way, they can get all the user's who are using the same password..and that person...could login using different user names to perform unauthorized activities.

    If you use a salt value, and you add the salt value to the password before you hash it using MD5 or Sha-1, then the chances of someone discovering a user's password are limited to one account...and if you are logging IP addresses and other details...you might be able to discover the person behind these activities for example.

    You should also check php openssl http://www.php.net/openssl functions...which you can use to store credit card details in an encrypted format

    Cheers,
    Ess

  • #7
    Rockstar Coder
    Join Date
    Jun 2002
    Location
    USA
    Posts
    9,074
    Thanks
    1
    Thanked 328 Times in 324 Posts
    Pretty much the secure way of handling passwords is to use a one-way encryption like MD5 or SHA1. If the user forgets their password, you reset it to a random value and then tell them what that is so they can go in and change it to something they'll remember.

    Basically any website that tells you what your password was when you go through their lost password steps is probably storing it in clear text. And like mentioned before, one way encryption is good because then people with access to the database can't see what the user's password is.

    And a salt value is explained fairly well here: http://en.wikipedia.org/wiki/Salt_%28cryptography%29
    OracleGuy

  • #8
    Regular Coder
    Join Date
    Nov 2002
    Posts
    567
    Thanks
    2
    Thanked 4 Times in 4 Posts
    Thank you everyone for your input. I have some reading to do. I think I will go the SSL route because there will be credit cards eventually here. I see the lock displayed when I am on an SSL or TSL page and wondered how it was done. I'll learn to use it.
    Scott Stewart
    Always happy to learn from pros.

  • #9
    ess
    ess is offline
    Regular Coder
    Join Date
    Oct 2006
    Location
    United Kingdom
    Posts
    866
    Thanks
    7
    Thanked 30 Times in 29 Posts
    By the way, MD5 is not as secure as you might be lead to believe. Unless you can guarantee that your users are going to use strong passwords, it is possible to un-hash an MD5 string. That is to say that most people use passwords that they can remember...usually using English like words that are guessable by using a dictionary for example.

    Check out the following website that does that. (try and enter weak md5 strings or passwords such as 'hello' or '1234pass')
    http://md5.benramsey.com/

    Sha-1 is more secure...but not all systems seem to support it (well, I am sure modern systems do...I am only referring to old OS servers).

    To find out what hashing algorithms your OS Server supports, I suggest that you run the following script

    PHP Code:
    <pre>
    <?php
    print_r
    (hash_algos());
    ?>
    Furthermore, I would suggest that you enforce a strong password policy on your application...to ensure that users are only allowed to create strongly typed passwords...so that reversing a hash algorithm using dictionaries is even harder. Please check the following URL for more information.

    http://www.microsoft.com/protect/you...rd/create.mspx

    You should also check SHA-1 for more information on that too.
    http://en.wikipedia.org/wiki/SHA-1

    Sorry for given you all these references. I hope that I have not put you off the topic of security.

    Cheers,
    Ess
    Last edited by ess; 07-26-2007 at 11:34 PM.

  • #10
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,077
    Thanks
    2
    Thanked 320 Times in 312 Posts
    When "testing" these various MD5 hash value lookup web sites, I recommend that you DON'T enter your actual passwords. At that point in time, you have given someone your public IP address and a password and they can use this information to attempt to break into your network.

    If you did this from a corporate network, where things like email address are published on a web site, they can try your password against each email account and see if they can gain access to an email account. Also, network accounts are usually combinations of names, so they can use known employee names and the password you just gave to them try to gain access to the network as well.

    If you did this from your home and your router's access password is what you just entered, you just gave someone your router's password. If the router's username is the default (usually admin) and remote administration is enabled, they have all the information they need to do whatever they want to your router.

    Also, if the password you just entered looks like it is an actual password and not just someone entering abc123, they will add it to the MD5 database and it might help someone determine your password from an MD5 value on a system that has been broken into.

    To avoid MD5 database/dictionary lookup problems, salt the entered strings before performing the MD5 on them so that they won't appear in these databases. On the off chance that one of your salted MD5 values returns a match through one of these databases (MD5 values are not unique), if someone enters the string they got back and you apply your salt string to it and produce the MD5 of it, it won't match your stored MD5 value.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •