TalkPHP - Loggining ( password and encryption )

TalkPHP (http://www.talkphp.com/forums.php)

- General (http://www.talkphp.com/general/)

- - Loggining ( password and encryption ) (http://www.talkphp.com/general/2207-loggining-password-encryption.html)

Orc	02-07-2008 10:09 PM

Loggining ( password and encryption )

Now, if you make a login system.. You want encryption for the users password, yes we all know. But thing is, if you encrypt it, such as with the md5() function algorithm, wouldn't that make it incorrect, if a user tries to login, and is trying to access his password which has now been encrypted. My problem is this, I try to encrypt passwords when registering, in the sql, and well, I go to login, and it gives me an error which I set, invalid password, please try again, well I know you cannot DECRYPT the password, so basically your account is stuck. :[

Would I just go by doing a base64 encryption? and then decrypt it?? Though that's a security risk it sounds, bleh.. Help with this please.

xenon

02-07-2008 10:12 PM

You can encode the password before performing the check, you know?

PHP Code:


		
			
$user = $_POST['username'];
$pass = md5($_POST['password']);

mysql_query( "SELECT id FROM users WHERE username='{$user}' AND password='{$pass}'" );

Orc	02-07-2008 10:14 PM

Quote:

Originally Posted by xenon (Post 10408)

You can encode the password before performing the check, you know?

PHP Code:


		
			
$user = $_POST['username'];
$pass = md5($_POST['password']);

mysql_query( "SELECT id FROM users WHERE username='{$user}' AND password='{$pass}'" );

Bah, lemme try this.

I forgot this method, >.<

Rendair

02-07-2008 11:09 PM

You can also do the following

PHP Code:


		
			
$user = $_POST['username'];
$pass = $_POST['password'];

mysql_query( "SELECT id FROM users WHERE username='$user' AND password = PASSWORD('$pass')" );

Orc	02-07-2008 11:10 PM

What does that function do?

sql Code:

password = PASSWORD('$pass')"

My brain is all over today. :/

Rendair

02-07-2008 11:19 PM

Well you can insert data into the table using that and it encrypts the password and then you use it again in a select to un-encrypt it.

Salathe

02-07-2008 11:25 PM

A key security point is that you should not be able to decrypt passwords! Use one-way hashing (MD5, SHA*, etc) and then compare the supplied password with the hashed password in the database.

Orc, the PASSWORD is another hashing function like MD5 and behaves in much the same way, just using a different algorithm to get the final hashed value.

Alan @ CIT

02-08-2008 06:44 PM

Just to throw another idea on to the pile, you could always take the vBulletin route and use Javascript to MD5() the password before you send it to your PHP script using one of the many javascript MD5 implementations available.

Alan

xenon

02-09-2008 12:40 AM

Quote:

Originally Posted by Alan @ CIT (Post 10460)

Now, why would you want to do that? JS can be easily sniffed, so don't check passwords and other sensitive information through JS. You can MD5 the password from the script, or directly from the query if you need to:

Code:

SELECT id FROM users WHERE username='username' AND password=MD5('password')

Alan @ CIT

02-09-2008 08:24 AM

The idea behind it is to use a salt with your passwords. You then MD5 the password using JS, send it to your PHP script, the PHP script then adds the salt and md5's the whole lot again, then compares it against your password table.

The theory being that the plain-text password is never transmitted across the internet.

Edit: Think of it this way, in my scenario, if someone sniffed the password, they would end up with an MD5 hash of it. They could then either try to match the hash until they found the original password, or brute force your script until they found the salt. In your scenario, if someone sniffed the password, they would end up with the plain-text password for the user.

Alan

All times are GMT. The time now is 05:29 PM.