Jump to content

Problem with log in form


Cyber_Entity

Recommended Posts

I am unsure if I should post this here or PHP. Sorry if in wrong place.

 

Alright I made a create profile forum. I can create a profile and save all the user information I want. I hashed the passwords with$salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));$salted_password = $user_password_password .$salt;$hashed_password = hash('sha256', $salted_password);I then insert in into the database storing the $hashed_password and $salt. The problem is, when I try to log in I either all ways get invalid password or I all ways get valid password.if(isset($_POST['login'])){$login_errors = "";$login_messages = "";$user_username = mysqli_real_escape_string($connect, $_POST['user_username']);$user_password = mysqli_real_escape_string($connect, $_POST['user_password']);if(empty($user_username) || empty($user_password)){$login_errors .= "Error:n Username and password are required to login.n";}if($result = mysqli_query($connect, "SELECT User_Username FROM Profiles WHERE User_Username = '$user_username'")){if(mysqli_num_rows($result) == 0){$login_errors .= "Error:n Username/Password is invalid.n";}mysqli_free_result($result);}if($result = mysqli_query($connect, "SELECT User_Salt FROM Profiles WHERE User_Username = '$user_username'")){if(mysqli_num_rows($result) == 0){$login_errors .= "Error:n Salt is invalid.n";}else{$salt = implode(mysqli_fetch_row($result)); $salted_password = $user_password .$salt; $hashed_password = hash('sha256', $salted_password);}mysqli_free_result($result);}if($result = mysqli_query($connect, "SELECT User_Password FROM Profiles WHERE User_Username = '$user_username'")){if(mysqli_num_rows($result) == 0){$login_errors .= "Error:n Username/Password is invalid.n";}else{$password = implode(mysqli_fetch_row($result));if($password == $hashed_password){$login_messages .= " Password is valid.n";}}mysqli_free_result($result);}}I have printed the $salt and $hashed_password from the database and the newly generated one. They are an exact match. I tried many different combinations."SELECT * FROM Profiles WHERE User_Username = '$user_username' AND User_Password = '$hashed_password" is the code this is supposed to work.My $salt is stored as VARCHAR(64) and $hashed_password is stored as BINARY(64).

Link to comment
Share on other sites

Yeah, but so what? Do you think that storing it as binary data would grant some sort of protection?

Doesn't it. When storing it as binary the database shows it as a blob compared to char showing the whole hash. I mean I am still learning, but that is just what I read.

Link to comment
Share on other sites

That doesn't matter. There are any number of functions to use to convert the data any way you want. If someone has full access to your database then you've already lost that fight. The point is to keep people out of your database in the first place and use strong hashing, not try and store data using a data type that a small fraction of people using a database wouldn't be able to figure out how to read.As far as hiding hashes goes in general, here's a hash value that, if you can reverse, will give you admin access to all of my applications:

6df5f468c6372b028286630674901d35936ebdbb1eb930151cb4ef4cbe9b562ed1fe9568c93dbbbeb1c6a9ab48f9cc6f632f641f91f20c895a57350c07d2efda
There's no trouble in making something like that public on its own, and I don't particularly care if an attacker can even dump my entire users table, I wouldn't consider passwords to be at risk. The very point of using a hash is to still make it difficult for an attacker to determine any passwords even if they get the hashes and the salts. The above hash isn't of any use to you because you don't know what the starting salt is, and you don't know which hashing algorithms I've ran 10,000 times to generate the above hash.Even if everything was compromised, even if I gave you the specific algorithm and also the starting salt, your computer would be able to generate no more than 4 password tries per second (assuming you have 16 Xeon cores like our web servers do). That's 240 tries per minute, or 14,400 tries per hour. If you're only trying passwords with uppercase and lowercase letters and numbers (no symbols or spaces), then you need 218,340,105,584,896 attempts to try every possible 8-character password. At a rate of 4 per second, that's going to take you 15,162,507,332 hours, or just under 1,730,879 years (although computers will probably increase in power over the next 1.7 million years). That's just for all 1 to 8-character passwords. I'll make it easier for you and tell you that the password that the above hash goes to is between 8 and 15 characters, so you can skip anything less than 8 characters. That should save a million years or so. Although the actual password does use symbols, so you're going to need to expand the possible alphabet. In fact, our application lets you use any character you want in password, so that might complicate matters a bit.The point of all of this is that you need to use a strong hash, not try and hide your hashes or salts. The best hash is one in which, given all information, an attacker still cannot reverse in any sane amount of time. This is the modern way that PHP does password hashing:http://jeremykendall.net/2014/01/04/php-password-hashing-a-dead-simple-implementation/
  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...