Archive for August, 2006

Building a user authorization system in PHP – Part II

Hashing passwords

In the last walkthrough you should have created a script that allows user to enter information in the HTML form and then stores this information in the database. The most obvious security hole is that we store password in the database in plain text. If somebody will be able to get the contents of your database, all user passwords will be in plain view to see.

This part of tutorial helps you learn how to make the passwords more secure. The common practice for storing passwords is storing a hash of a password, which is a scrambled copy of it. There is no easy way to decrypt the password, so this set up is much more secure. You will then compare the hash stored in MySQL with the hash of the user-input password. If both hashes are identical, then the password is correct.

There are 2 basic algorythms: SHA1 and MD5. Because a specific password always corresponds to a specific hash value, the attacker does not need to brute-force the hash to get the underlying password. If you build a database of all possible passwords, you can get the plain-text password by doing a hash lookup in the database. Here is an example: MD5 lookup. As there are no reliable SHA1 lookup services at the moment, it is safer to use this algorythm with some kind of modification (called salt). Here’s the line you need to add to your register.php:

$password = sha1(sha1($password).”mysecretcode”);

Advertisements

August 26, 2006 at 8:18 pm Leave a comment

Building a user authorization system in PHP – part I

Recently I needed to start my new PHP project and required a basic (but secure) user authorization / registration script. To my surprise I was not able to find one script that would allow me to register users in MySQL database, require user activation via email, show a turing (aka captcha) at the login form and have no obvious security holes.

16 hours later, I now have my own script and understand better why there is no universal script available on the Net (the task turns out non-trivial and requires a lot of security tweaking).

In this post I will start discussing how a user authorization script should be developed. (more…)

August 26, 2006 at 7:54 pm 76 comments


Recent posts

Starting to learn Rails?

Kindle

Get Kindle - the best e-book reader, that I personally use, and the only one that you can read on the beach - very useful: Kindle Wireless Reading Device (6" Display, Global Wireless, Latest Generation)