ThePsion5 Posted April 17, 2006 Share Posted April 17, 2006 Hi Guys,I'm working on securing user passwords in a MySQL 4 database with a PHP5 frontend. I remember being told in one of my classes (I'm currently a college junior) that the best way would be to hash a salt and the password together and then store the hash in the database instead of the plain MD5 hash. My question is, what is a good method for the server and the database to agree on a salt value to use? I know i could use a predefined variable, but I was wondering if something dynamic might be better (timestamp, current date, something like that). Any ideas? Thanks in advance!-Sean Link to comment Share on other sites More sharing options...
pulpfiction Posted April 17, 2006 Share Posted April 17, 2006 Hi,Check out the link below, it uses the part of the hashed password as "salt"http://www.phpit.net/article/handling-passwords-safely-php/ Link to comment Share on other sites More sharing options...
ThePsion5 Posted April 17, 2006 Author Share Posted April 17, 2006 Ok, I took a look at the article and decided to use a method similar to this one to encrypt the password client-side: function hash_password(){var username = document.getElementByID('username');var password = document.getElementByID('password');var securePass = md5(password.value+username.value);document.getElementById('password').value = securePass;} Calling this function on submit should encrypt the password with a salt unique to each user before sending it to the server. But this raises another problem - since the javascript password encryption is client-side, can't a potential attacker instantly gain the salt just by viewing the login page's source code? Link to comment Share on other sites More sharing options...
pulpfiction Posted April 17, 2006 Share Posted April 17, 2006 Oh i didnt know that you are going to use client side scripting (javascript), then i guess its not gonna work, but anything you do on the client side can be viewed by the user, so its better you do it with PHP. there was a discussion in our forum abt ways to hide javascript code from the client, you may get a idea from it. Link to comment Share on other sites More sharing options...
ThePsion5 Posted April 17, 2006 Author Share Posted April 17, 2006 The article you mentioned used client-side scripting...I suppose there's no way around that if I want the password encrypted before it even hits the server, lol. It's just a possibility I've been considering. I also like the idea of using a timestamp as a salt and then checking to make sure no more than x seconds have elapsed, but that might be complex as well. Thanks for the help though -Sean Link to comment Share on other sites More sharing options...
pulpfiction Posted April 17, 2006 Share Posted April 17, 2006 Thats wierd, the article i provided seems to have the code in php.. how come i dont see any javascriptThis is the code in that article...<?php// ... do some form handling, like validation, filtering, etc$password = $_POST['password'];// Generate a random salt$salt = substr(md5(uniqid(rand(), true)), 0, 5);// Hash password$secure_password = md5($salt . md5($password));// Store password AND hash in database// ...?><?php// ... do some form handling, like validation, filtering, etc$username = $_POST['username'];$password = $_POST['password'];// Get user from database$user = getUser($username);// Compare passwordif ($user->password != md5($user->salt . md5($password))) { die ('Wrong username or password!');}// ... user entered correct password, do something?> Link to comment Share on other sites More sharing options...
ThePsion5 Posted April 17, 2006 Author Share Posted April 17, 2006 The second page in the article deals with some client-side stuff, you probably just missed that part. It was very helpful though, thanks Link to comment Share on other sites More sharing options...
pulpfiction Posted April 18, 2006 Share Posted April 18, 2006 yeah i missed that part, saw it just now. isnt it just a comparision of doing the same job as the PHP code but using javascript. that wont be needed if you are using PHP alone..... Link to comment Share on other sites More sharing options...
Little Goat Posted April 18, 2006 Share Posted April 18, 2006 pulpfiction, is that the way you would recomend to encrypt passwords, or is there a better way?LG Link to comment Share on other sites More sharing options...
pulpfiction Posted April 18, 2006 Share Posted April 18, 2006 Hashing is the best way to encrypt the password, as it cannot be reversed. Salt is nothing but to make the input for hashing a little different.Say if 2 ppl give the same password then it will generate the same hash value, this gives a chance for attack. but when you add "salt" to the password then the input for hashing will be different and so the hash o/p will be different even if the password may be same, but this process needs salt to be stored in the DB for future login verfication. MD5 and SHA1 are two of that hashing algorithms, abd SHA1 is considered a little more secure..I think hashing alone will do, but if you need higher security then use salt technique.HTH Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now