Thanks for the password/info, however I have one further (possibly bumb) question, is
there a
commonly employed method of securing one's database to prevent hacker's peering in and
viewing
plain-text/hashed passwords?
I use MySQL 3.22.32 with php4.0.3
Cheers.
Russ
On Thu, 13 Sep 2001 19:28:18 +0200 Torgil Zechel <[EMAIL PROTECTED]> wrote:
> A common way to identify a client is to use the challange-response
> algorithm. It works like this:
>
> Ps is the password stored on the server
> Pc is the password entered by the client
> H is a hash-function (md5 for example)
> V is a 'random' value
>
> Server calculates H(V + Ps) and save this in a session variable. The server
> then send V to the client which respond with H(V + Pc). Now, the server can
> compare H(V + Ps) with H(V + Pc). If they are equal, the user must have
> given the correct password! Otherwise the identification failed.
>
> The good thing with this algorithm is that no password need to be sent in
> plain-text between the client and the server. The random value is used to
> ensure that the response is not just something that a hacker has sniffed in
> a previous session. The downside is that the database must be secure, since
> the passwords are stored in plain-text.
>
> A even better way is of course to use SSL. In that case the client just send
> the password to the server and the server compares H(P) with the stored hash
> in the database.
>
> Don't know if this was what you were looking for...
>
> /torgil
>
> > -----Ursprungligt meddelande-----
> > Fran: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]For Russ Michell
> > Skickat: den 13 september 2001 17:36
> > Till: [EMAIL PROTECTED]
> > Amne: [PHP-DB] Straightforward authentication?
> >
> >
> > Hi all:
> >
> > The few php/MySQL apps I've developed that required
> > username/password access, have simply been a
> > means of comparing usernames and hashes of passwords in a DB. My
> > next application needs to be
> > slightly more secure but nothing like the needs of protecting
> > online banking or vulnerable private
> > info.
> >
> > I have read several articles at phpbuilder.com and stuff at
> > php.net, and frankly most of it seems
> > to be overly contrived.
> >
> > I wonder wether some list members would be able to point me in
> > the direction of code and/or
> > tutorials that *explain* in English what they're doing and why.
> > For example why they are storing an
> > MD5() hash of something in a seperate file outside the
> > web-server's doc-root etc etc.
> >
> > Once I have my head round the concepts I'll be posting my
> > findings to a public location which
> > list-members will be among the first to view.
> >
> > I thank y'all for any help you are able to give.
> > Cheers
> >
> > Russ
> >
> > #-------------------------------------------------------#
> >
> > "Believe nothing - consider everything"
> >
> > Russ Michell
> > Anglia Polytechnic University Webteam
> > Room 1C 'The Eastings' East Road, Cambridge
> >
> > e: [EMAIL PROTECTED]
> > w: www.apu.ac.uk/webteam
> > t: +44 (0)1223 363271 x 2331
> >
> > www.theruss.com
> >
> > #-------------------------------------------------------#
> >
> >
> > --
> > PHP Database Mailing List (http://www.php.net/)
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> > To contact the list administrators, e-mail: [EMAIL PROTECTED]
> >
> >
>
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
#-------------------------------------------------------#
"Believe nothing - consider everything"
Russ Michell
Anglia Polytechnic University Webteam
Room 1C 'The Eastings' East Road, Cambridge
e: [EMAIL PROTECTED]
w: www.apu.ac.uk/webteam
t: +44 (0)1223 363271 x 2331
www.theruss.com
#-------------------------------------------------------#
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
