Re: [PHP] Membership site
On 28.07.2011 12:53, Alex Nikitin wrote: Just as a word of caution to everyone on this list, mcrypt version of blowfish (which is implemented by php) (in linux) has an 8bit bug in it, and thus should not be used for hashing passwords even as backup. Basically if you use a character such as say a British pound in your password, blowfish with php will generate, a wrong hash and allow for some extensive collisions. For example a hash for "ac" followed by a pound or euro or any of those extended chars (that are present on European keyboards and such) and a hash for just that char, would be the same! If you want I can show you with some demo code. But until fixed, don't use blowfish with php on linux at least, if you can. Very interesting, thanks for the heads up. So if you use the class change $this->hash_supported = 'sha256|sha512|blowfish|md5'; to $this->hash_supported = 'sha256|sha512|md5'; So blowfish can not be used. Problem: Using salt: Vi4mT5vCge5SWQRH7onIlo hash this: ac€ $2a$08$Vi4mT5vCge5SWQRH7onIleRMijSY4OVXS8.4diEKLENMF5Dd7HcjC hash this: € $2a$08$Vi4mT5vCge5SWQRH7onIleRMijSY4OVXS8.4diEKLENMF5Dd7HcjC hash this: ac£ $2a$08$Vi4mT5vCge5SWQRH7onIle.3A9uIUxgFol/7HjY04C.oWQVa2nvw. hash this: £ $2a$08$Vi4mT5vCge5SWQRH7onIle.3A9uIUxgFol/7HjY04C.oWQVa2nvw. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Membership site
Just as a word of caution to everyone on this list, mcrypt version of blowfish (which is implemented by php) (in linux) has an 8bit bug in it, and thus should not be used for hashing passwords even as backup. Basically if you use a character such as say a British pound in your password, blowfish with php will generate, a wrong hash and allow for some extensive collisions. For example a hash for "ac" followed by a pound or euro or any of those extended chars (that are present on European keyboards and such) and a hash for just that char, would be the same! If you want I can show you with some demo code. But until fixed, don't use blowfish with php on linux at least, if you can. On Jul 28, 2011 5:14 AM, "John Black" wrote: > I would like to add some info about storing the password hash in the > database. > > I recently tested how quickly one can brute force a simple md5('foo') > hash with a modern GPU. The results have been truly eye opening > I have been able to break hundreds of hashes with my ATI 6870 in a > couple of days. Even with passwords in the 8 char length range ... and > even salted ones. > > The problem is that md5 is optimized for speed. Which is nice if you > want to hash a file but it offers an attacker the option to brute force > your password. > The solution is to hash multiple times and if possible using a different > hashing algorithm. > http://php.net/crypt can help you here. > > I wrote a new password class for my own projects which will use crypt() > with sha512, sha256, blowfish if available or fall back to a 3000 round > md5(). > This approach makes it impractical to bruteforce the hash because every > single test will have to run md5() 3000 times before it can validate a > single hash. > This also adds a delay to the login process but the hash is only checked > once > > The code is released under the BSD license so you may use it in a > commercial application as well. The zip contains the class file and two > sample pages demonstrating how to use the class. > > Here is a download link, let me know if you like it or have any questions. > > http://www.2shared.com/file/kocAJ2HO/class_password.html > md5: 4ee41496a9d1bc147e5025699e2b764e class_password.zip > > -- > John > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php >
Re: [PHP] Membership site
On 28.07.2011 11:13, John Black wrote: This approach makes it impractical to bruteforce the hash because every single test will have to run md5() 3000 times before it can validate a single hash. -- John I am sorry, I made a mistake here, 3000 times is not enough for this. The actual code for the md5 portion looks like this: $this->hash_rounds['md5'] = 3000; for( $x=0 ; $x < $this->hash_rounds['md5'] ; ++$x) { $hash = md5($salt.md5($salt.$hash).md5($hash.$salt)); } -- John -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Membership site
I would like to add some info about storing the password hash in the database. I recently tested how quickly one can brute force a simple md5('foo') hash with a modern GPU. The results have been truly eye opening I have been able to break hundreds of hashes with my ATI 6870 in a couple of days. Even with passwords in the 8 char length range ... and even salted ones. The problem is that md5 is optimized for speed. Which is nice if you want to hash a file but it offers an attacker the option to brute force your password. The solution is to hash multiple times and if possible using a different hashing algorithm. http://php.net/crypt can help you here. I wrote a new password class for my own projects which will use crypt() with sha512, sha256, blowfish if available or fall back to a 3000 round md5(). This approach makes it impractical to bruteforce the hash because every single test will have to run md5() 3000 times before it can validate a single hash. This also adds a delay to the login process but the hash is only checked once The code is released under the BSD license so you may use it in a commercial application as well. The zip contains the class file and two sample pages demonstrating how to use the class. Here is a download link, let me know if you like it or have any questions. http://www.2shared.com/file/kocAJ2HO/class_password.html md5: 4ee41496a9d1bc147e5025699e2b764e class_password.zip -- John -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Membership site
wil prim wrote: >Ok so I have the md5() taken care of and now i have also attempted to >create a login form plus a check login form that will try and match the >hashed value of the input with a field in the data base and if >successful it will echo 'You are now logged in' or else it will echo >'couldnt connect'. However when I try to log in with my newly created >username and password it echos 'couldnt connect'. Here is the code for >the form: > > > >Username: > Password: > > > >AND HERE IS THE check_login.php: > > >include_once "connect_mysql.php"; > >$result=mysql_query("SELECT * FROM Members"); >$row=mysql_fetch_array($result); >$loginusername=$_POST['logginname']; >$loginpass=$_POST['logginpassword']; >$hash_loggin_username=md5($loginusername); >$hash_loggin_password=md5($loginpass); >if ($hash_loggin_username==$row['username'] && >$hash_loggin_password==$row['password']) >{ >echo 'You are now logged in!'; >} >else >{ >echo 'couldnt connect'; >} >?> > >In this code Members is the table and Persons is the database. > > > > > >On Jul 27, 2011, at 02:28 PM, wil prim wrote: > >> Thanks for that! I'll try and put some code together and I'll reply >if I need some more help. ;) >> >> Sent from my iPhone >> >> On Jul 27, 2011, at 2:18 PM, Ashley Sheridan > wrote: >> >> > On Wed, 2011-07-27 at 14:01 -0700, wil prim wrote: >> > >> >> Hello, I am just starting out with PHP and I have just created a >database named "Members" with a table named "Persons". There are 5 >fields (id,firstname, lastname, username, password) . The form I >created is a sign up form and the values entered into the form are >inserted into the table "Persons", now my question is how do I create a >secure log in system with this new database? Thanks in advance! :) >> >> >> > >> > >> > Well, first, as a measure of security, make sure that you don't >store >> > the plain text password in the DB. Something like an md5($password >. >> > $email . $name) offers a rudimentary protection. For something a >little >> > meatier, try sha1(). Storing it this way means that even if someone >> > gained access to your DB, they don't actually have the passwords, >as >> > people often reuse passwords on different sites. >> > >> > As to the login, you would accept the username and password combo, >and >> > then hash or encrypt the password with the salt again, and compare >with >> > the entry in the DB. It's typical to have a counter of incorrect >logins >> > as well. More than 3 in a row causes the login for that username to >lock >> > for a specific period of time. To achieve this, you would need to >add a >> > couple of fields to your Persons table, `attempts`(tinyint) & >> > `lock_time`(datetime). >> > >> > When you attempt to log someone in with the username and password >> > (encrypted, hashed, whatever) you also check to see if the >lock_time is >> > not some time in the future. If it is, then you don't allow them >access. >> > If the password was wrong, then increment the attempts field by 1. >If >> > this field gets incremented to a specific value (say 3 for example) >then >> > you set the lock_time field to some date in the future, the wait >period. >> > >> > When a user logs in successfully, set the attempts counter to 0 >again so >> > it's ready for the next login attempt to the account. This just >ensures >> > that people aren't accidentally locked out indefinitely! >> > >> > This is all just a rough sketch out of how I'd go about it, but it >> > should be enough logic for you to put some code together. It's no >more >> > complex than a couple of queries and a few if statements. It may >help >> > you to flowchart the whole thing out to get the logic clear in your >> > mind. >> > >> > -- >> > Thanks, >> > Ash >> > http://www.ashleysheridan.co.uk >> > >> > > >On Jul 27, 2011, at 02:18 PM, Ashley Sheridan > wrote: > >> On Wed, 2011-07-27 at 14:01 -0700, wil prim wrote: >> >> > Hello, I am just starting out with PHP and I have just created a >database named "Members" with a table named "Persons". There are 5 >fields (id,firstname, lastname, username, password) . The form I >created is a sign up form and the values entered into the form are >inserted into the table "Persons", now my question is how do I create a >secure log in system with this new database? Thanks in advance! :) >> > >> >> >> Well, first, as a measure of security, make sure that you don't store >> the plain text password in the DB. Something like an md5($password . >> $email . $name) offers a rudimentary protection. For something a >little >> meatier, try sha1(). Storing it this way means that even if someone >> gained access to your DB, they don't actually have the passwords, as >> people often reuse passwords on different sites. >> >> As to the login, you would accept the username and password combo, >and >> then hash or encrypt the password with the salt again, and compare >with >> the entry in
Re: [PHP] Membership site
http://www.php.net/manual/en/security.database.sql-injection.php http://www.php.net/manual/en/security.database.storage.php
Re: [PHP] Membership site
On Wed, 2011-07-27 at 14:01 -0700, wil prim wrote: > Hello, I am just starting out with PHP and I have just created a database > named "Members" with a table named "Persons". There are 5 fields > (id,firstname, lastname, username, password) . The form I created is a sign > up form and the values entered into the form are inserted into the table > "Persons", now my question is how do I create a secure log in system with > this new database? Thanks in advance! :) > Well, first, as a measure of security, make sure that you don't store the plain text password in the DB. Something like an md5($password . $email . $name) offers a rudimentary protection. For something a little meatier, try sha1(). Storing it this way means that even if someone gained access to your DB, they don't actually have the passwords, as people often reuse passwords on different sites. As to the login, you would accept the username and password combo, and then hash or encrypt the password with the salt again, and compare with the entry in the DB. It's typical to have a counter of incorrect logins as well. More than 3 in a row causes the login for that username to lock for a specific period of time. To achieve this, you would need to add a couple of fields to your Persons table, `attempts`(tinyint) & `lock_time`(datetime). When you attempt to log someone in with the username and password (encrypted, hashed, whatever) you also check to see if the lock_time is not some time in the future. If it is, then you don't allow them access. If the password was wrong, then increment the attempts field by 1. If this field gets incremented to a specific value (say 3 for example) then you set the lock_time field to some date in the future, the wait period. When a user logs in successfully, set the attempts counter to 0 again so it's ready for the next login attempt to the account. This just ensures that people aren't accidentally locked out indefinitely! This is all just a rough sketch out of how I'd go about it, but it should be enough logic for you to put some code together. It's no more complex than a couple of queries and a few if statements. It may help you to flowchart the whole thing out to get the logic clear in your mind. -- Thanks, Ash http://www.ashleysheridan.co.uk