Hello,

Very often passwords/usernames of my sites are stolen and are uploaded to warez-sites, where everybody can use them...

What can I do? How can I make sure that only the right user is using his login-information and nobody else?

Any ideas?

Dave

    you shouldn't have plain passwords in your site, you stupid.
    i would use md5 encryption as a solution for this problem. all passwords is encrypted once with md5 and saved in file or DB. when user logs in his password will be encrypted with md5 by javascript in user's browser (js md5 crypt function: http://pajhome.org.uk/site/) and then sent to server.
    then web server compares these encrypted results and if these are equal, login is successful.
    Note that md5 is one way encryption so you should encrypt both and then compare results.

    for more security you can add random number as salt and encrypt double with md5 [ result=md5(md5(pwd)+salt) ] on client-side. also server has to remember this salt and do the same with stored password [ $result=md5($storedpwd . $salt) ], when passwords are compared.
    This ensures that if someone listens communication and stores this twice encrypted password, he has no use for it because next time salt will be different.
    Note that initial encryption should be done in client's browser with javascript, otherwise ther are no point for doing this.

    if you have some further questions you can mail me.

    henry

      What kind of passwords are being lifted?

      Are these telnet account username/password pairs? FTP? Forum login?

      More information is needed to supply prospective solutions to your problem.

      -t

        Just normal username/password for a web-based login.
        So users have a formular where they can type in this informations. the passwords are saved in a MySQL database.

        Dave

          Write a Reply...