Password protection

[Alex108]

I am writing a php script that collect some information from user and according to that sends data to an outside service. This data include username and password. The page that sends the data is protected by secure login script and also the folder is password protected by hosting. If i understand the situation correctly if somebody wants to know the password he have to read the file. If some hacker or somebody have access to my files there is no way to protect the password, so i think it is don't need any protection. Am i right?

[justsomeguy]

You always need protection. If you're sending that information to a third party, you'll want to make sure you're either using an encrypted protocol like HTTPS, or you're manually encrypting the information yourself so that it can be decrypted on the other end.

[boen_robot]

Protecting the admin page both by a web server authentication and session (script) authentication is somewhat redunant...Instead of storing the plain password (whether it's in a file or DB is out of the point), you could store a hash of it. At login attempt, have the input, and compare it to the hash you have. The hashes will only be equivalent if the passwords are, but if an attacker gets ahold of your file, they won't know your password - they'll just see the hash, and trying to find the password that generated it is not an easy task.

[ShadowMage]

...if an attacker gets ahold of your file, they won't know your password - they'll just see the hash, and trying to find the password that generated it is not an easy task.

I've always wondered about this whole hashing business....If there is a function that produces the hash, certainly, it must not be terribly difficult to write an opposite function that would un-hash it. Right? I've never worked with hashing or encrypting or any of that business (my applications thus far have not required it) so I could be wrong...

[justsomeguy]

No, hash functions map an infinitely large data set (in theory) down to a finite set. So there is no way to expand the hash to the original value. Assume your hash function resulted in only a single hex byte. You might have thousands of values which all get hashed to "B". If you're trying to decode "B", how do you know which original value you started with? There's not enough information there to tell you. Other hash functions work the same way, they just result in a larger hash. You may be able to find another value which results in the same hash, but you won't necessarily find the original (and using a salt would help eliminate collisions).

[Starfall]

If there is a function that produces the hash, certainly, it must not be terribly difficult to write an opposite function that would un-hash it. Right?

No, actually it is very hard to decrypt a hash, though there are several websites which provide the service by storing hashes of many words in their databases, but they will not provide the password if it is something like "1a8djs9m". That is why you should use random passwords. Hashes like "MD5" or "SHA1" are often referred as "undecryptable". That is not right, but it is really hard to decrypt a hash, and there is no method to build a general way for it.

No, hash functions map an infinitely large data set (in theory) down to a finite set. So there is no way to expand the hash to the original value. Assume your hash function resulted in only a single hex byte. You might have thousands of values which all get hashed to "B". If you're trying to decode "B", how do you know which original value you started with? There's not enough information there to tell you. Other hash functions work the same way, they just result in a larger hash. You may be able to find another value which results in the same hash, but you won't necessarily find the original (and using a salt would help eliminate collisions).

Right, but with a proper brute forcing program all results can be scanned out and the correct result might be found if this is a form input. But still, getting the original value is really hard. I agree!

[justsomeguy]

Well, I don't really consider brute force as a way of decrypting. That's just trial-and-error. It's not "difficult" to un-hash a value, it's impossible. If you manage to get a value that hashes to what you're looking for, it's luck. Even the attacks against smaller hashes like MD5 require luck, they've just found methods that reduce the number of times you need to guess down to a minimum. It's still just guesswork though.

[ShadowMage]

No, hash functions map an infinitely large data set (in theory) down to a finite set. So there is no way to expand the hash to the original value. Assume your hash function resulted in only a single hex byte. You might have thousands of values which all get hashed to "B". If you're trying to decode "B", how do you know which original value you started with? There's not enough information there to tell you. Other hash functions work the same way, they just result in a larger hash. You may be able to find another value which results in the same hash, but you won't necessarily find the original

Oh. I see.

using a salt would help eliminate collisions

...but it also rusts your car.

[thescientist]

...but it also rusts your car.

wow.

[iwato]

wow.

Both the md5() and sha1() hash functions are available with PHP, and you may apply a salt to either. My understanding is that the SHA class of hashes is better than MD5.PHP also has a function that permits you to apply just about any hash available; it is the hash() function. This is what I will likely use when I have finally made it so far.Roddy

[thescientist]

my post was in response to SM's joke... i'll edit to convey my "tone"

[Alex108]

You always need protection. If you're sending that information to a third party, you'll want to make sure you're either using an encrypted protocol like HTTPS, or you're manually encrypting the information yourself so that it can be decrypted on the other end.

They (the third party) gave me a script They use sockets and HTTP/1.1 , but password and username are not encrypted.

[justsomeguy]

In that case, anyone monitoring traffic can read the data you're sending.

[Synook]

A lot of the current research into breaking cryptographic hash functions is about looking for ways to make the collision-searching process more efficient, so that a string with an equivalent hash can be found quicker – usually by finding flaws in the mathematics behind the hash that reduces the number of strings to be checked, and also by developing more efficient ways to check lots of strings quickly (e.g. with faster computers). That's why MD5 isn't considered "secure" enough any more – because through such research people have made it possible to find a collision within a reasonable amount of time.

[Alex108]

In that case, anyone monitoring traffic can read the data you're sending.

Agree with you, maybe i should tell it to my client. But you have to have a special equipment for monitoring. But it is not a big money our web service. Why serious criminals could be interested to work with it?

[ShadowMage]

Agree with you, maybe i should tell it to my client. But you have to have a special equipment software for monitoring. But it is not a big money our web service. Why serious criminals could be interested to work with it?

Yes, you need special software to monitor traffic, but this software is often free. And not all criminals are out for money. Some do it just for the sake of destroying.