shadowayex Posted September 27, 2010 Share Posted September 27, 2010 I'm looking for a method of hashing, encrypting, or some form of security for a PHP web application I'm building so passwords won't get sent over the internet as plain text. As this application is something that is designed to be distributed, I'm looking for something that can be coded in versus something the user will have to worry about themselves.Does anyone have any ideas? I haven't played with browser-side security before. The most I've done in security is hashing stuff with PHP before storing it into a database.Edit: Upon doing more reading more about this kind of security, it seems creating a dynamic system on my own is looking the most secure. I'm still open to ideas and whatnot, though. So, if there are ideas, please let me know. Link to comment Share on other sites More sharing options...
justsomeguy Posted September 27, 2010 Share Posted September 27, 2010 The best solution is just to use HTTPS, that's what it's for. Any encryption method would be able to be decrypted if anyone cared to do it. You could submit a password that has already been hashed, but PHP won't be able to validate it. Link to comment Share on other sites More sharing options...
wirehopper Posted September 28, 2010 Share Posted September 28, 2010 You could also use: http://httpd.apache.org/docs/2.2/howto/auth.html Link to comment Share on other sites More sharing options...
Synook Posted September 28, 2010 Share Posted September 28, 2010 Note that HTTP authentication does not actually involve encryption of the data stream. Link to comment Share on other sites More sharing options...
birbal Posted October 17, 2010 Share Posted October 17, 2010 The best solution is just to use HTTPS, that's what it's for. Any encryption method would be able to be decrypted if anyone cared to do it. You could submit a password that has already been hashed, but PHP won't be able to validate it.can you please explain it why php cant validate hashed password? Link to comment Share on other sites More sharing options...
justsomeguy Posted October 17, 2010 Share Posted October 17, 2010 PHP can't unhash a password, nothing can. Hash functions are not reversible. Sending a hashed password in plain text is just as insecure as sending an unhashed password in plain text. If your application validates a hashed password then anyone can look at your unencrypted traffic, get the same hash, and send it to your application to log in. At that point it doesn't matter if you're hashing the password or not, people might not know the original password but they can still log in using the hash if that's what you're sending. Using HTTPS to encrypt the traffic stops that from happening. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.