Loggining ( password and encryption )

Orc · 02-07-2008, 10:09 PM

Now, if you make a login system.. You want encryption for the users password, yes we all know. But thing is, if you encrypt it, such as with the md5() function algorithm, wouldn't that make it incorrect, if a user tries to login, and is trying to access his password which has now been encrypted. My problem is this, I try to encrypt passwords when registering, in the sql, and well, I go to login, and it gives me an error which I set, invalid password, please try again, well I know you cannot DECRYPT the password, so basically your account is stuck. :[

Would I just go by doing a base64 encryption? and then decrypt it?? Though that's a security risk it sounds, bleh.. Help with this please.

xenon · 02-07-2008, 10:12 PM

You can encode the password before performing the check, you know?

PHP Code:


			
$user = $_POST['username'];
$pass = md5($_POST['password']);

mysql_query( "SELECT id FROM users WHERE username='{$user}' AND password='{$pass}'" );

Orc · 02-07-2008, 10:14 PM

Quote:

Originally Posted by xenon

You can encode the password before performing the check, you know?

PHP Code:


			
$user = $_POST['username'];
$pass = md5($_POST['password']);

mysql_query( "SELECT id FROM users WHERE username='{$user}' AND password='{$pass}'" );

Bah, lemme try this.

I forgot this method, >.<

Rendair · 02-07-2008, 11:09 PM

You can also do the following

PHP Code:


			
$user = $_POST['username'];
$pass = $_POST['password'];

mysql_query( "SELECT id FROM users WHERE username='$user' AND password = PASSWORD('$pass')" );

Orc · 02-07-2008, 11:10 PM

What does that function do?

sql Code:

password = PASSWORD('$pass')"

My brain is all over today. :/

Rendair · 02-07-2008, 11:19 PM

Well you can insert data into the table using that and it encrypts the password and then you use it again in a select to un-encrypt it.

Salathe · 02-07-2008, 11:25 PM

A key security point is that you should not be able to decrypt passwords! Use one-way hashing (MD5, SHA*, etc) and then compare the supplied password with the hashed password in the database.

Orc, the PASSWORD is another hashing function like MD5 and behaves in much the same way, just using a different algorithm to get the final hashed value.

Alan @ CIT · 02-08-2008, 06:44 PM

Just to throw another idea on to the pile, you could always take the vBulletin route and use Javascript to MD5() the password before you send it to your PHP script using one of the many javascript MD5 implementations available.

Alan

xenon · 02-09-2008, 12:40 AM

Quote:

Originally Posted by Alan @ CIT

Just to throw another idea on to the pile, you could always take the vBulletin route and use Javascript to MD5() the password before you send it to your PHP script using one of the many javascript MD5 implementations available.

Alan

Now, why would you want to do that? JS can be easily sniffed, so don't check passwords and other sensitive information through JS. You can MD5 the password from the script, or directly from the query if you need to:

Code:

SELECT id FROM  users WHERE username='username' AND password=MD5('password')

Alan @ CIT · 02-09-2008, 08:24 AM

The idea behind it is to use a salt with your passwords. You then MD5 the password using JS, send it to your PHP script, the PHP script then adds the salt and md5's the whole lot again, then compares it against your password table.

The theory being that the plain-text password is never transmitted across the internet.

Edit: Think of it this way, in my scenario, if someone sniffed the password, they would end up with an MD5 hash of it. They could then either try to match the hash until they found the original password, or brute force your script until they found the salt. In your scenario, if someone sniffed the password, they would end up with the plain-text password for the user.

Alan