On Sat, Mar 15, 2008 at 10:06 PM, Steve Morrey
<[EMAIL PROTECTED]> wrote:
> Hello Everyone,
>
> I am currently reviewing some source code for a custom CMS on behalf of a
> client.
> All of it looks pretty good to me except for the line of code that does the
> actual login.
> It looks like...
> (Yes this is PHP)
>
> if(sha1($user_password) == $password_from_db){
> login($user_name);
> }
>
> What has me worried is that $user_password is hashed prior to this function
> by an SHA1 function written in Javascript, prior to being passed in to PHP.
> This means that we are comparing the hash of a hash, which we all know is
> generally considered bad practice.
>
> When I confronted the original developer about this, he remarked that he did
> it "for security reasons, and because the design docs said the password
> should not ever be transmitted or stored in plain text".
>
> Thats all well and good except that what has effectively happened in my eyes
> is an increased chance for hash collision.
> Thats about the only reason I can think of why this is a bad idea.
>
> I need some advice here...
> Should I just give this code a nod? I mean most passwords tend to be
> insecure to begin with, and transmitting them in plain text is always a bad
> idea.
> Or should I reject this due to the increased chance of has collisions and/or
> some other reason I can't remember off the top of my head?
>
> Thoughts?
>
> Sincerely,
> Steve
I would think that as long as the passwords are in an encrypted
transmission, the need for also hashing them and then hashing the hash
seems to only make a problem more likely. But on the other hand I can
see that some basic level of protecting the password should be
required even in cases where an SSL-type connection cannot be (or
isn't) utilized.
...says the non-developer
-Chad
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
