3rd Party Password Protection: Is it possible?

netline5000

Greetings everyone,

I want to create a third party login system (let's call it SuperPass)that gives users access to member sites.

Hence a user can go to any of the member sites, login in using the same username and password and hence gain access to the content.

I have seen it done on some sites. How is it done and how come it doesn't keep asking users to login for every page they view?

How do I do it using PHP?

Thanks in advance

Toby2

You could store a user/pass pair with the pass md5-encrypted in a mysql db, and register the user_login as a sessionvariable upon successfully logging in.

Then you include a file on every page that checks if this variable is registered as a session variable... if it isn't you just redirect the user to a login page...

michael

Cookies, Sessions.

Also: use SHA-1 instead of MD5. MD5 isn't secure.

Weedpacket

So rumour has it - but then, any username/password scheme is equally vulnerable.

netline5000

Thanks for the replies guys.

I am new to PHP so a lot of what you have said has just gone over my head!!! 🙁

Toby2,
You said "Then you include a file on every page that checks if this variable is registered as a session variable...".

Does this mean that for every page a user requests, the member website would have to verify the session variable at SuperPass.
Wouldn't this bog down the SuperPass server or is there a simpler way?

Also how does one include a file on every page and what is MD-5?

Michael, Weedpacket
what is SHA-1?
Could you expand on Cookies and Sessions? What are the advantages and disadvantages of each method especially regarding security?

To Everyone,
Please could you provide me with some sample code on how to do this using the methods highlighted?

Thanks again

harlowhair

Basically security involves initially verifying a username and password, and then checking that this has been done on all of the pages within the protected area. A very good and easy to understand article can be found at

http://www.devshed.com/Server_Side/PHP/UserAuth/page1.html

I found this article the most useful reference i could find when I started looking into security.

michael

Michael, Weedpacket
what is SHA-1?
Could you expand on Cookies and Sessions? What are the advantages and disadvantages of each method especially regarding security?

SHA is the secure hash algorthmn. (sp.)

MD5 is the message digest 5 algorthmn. (sp.)

MD5 is not meant for storing passwords. It is possible to procure a list of possible passwords from a MD5.

SHA is a more secure algorthmn.

Cookies and Sessions can be complimenting. Research the manuals in this regard. A session is a group of variables stored on the server, for each user. A cookie is a variable (which can contain serialized variables) stored on the users' computer. Each have their advantages. Cookies are not reliable, as in the case of me, whom turns off cookies for pages I don't like.

From RSA:

3.6.6 What are MD2, MD4, and MD5?
MD5 was developed by Rivest in 1991. It is basically MD4 with "safety-belts" and while it is slightly slower than MD4, it is more secure. The algorithm consists of four distinct rounds, which has a slightly different design from that of MD4. Message-digest size, as well as padding requirements, remain the same. Den Boer and Bosselaers [DB94] have found pseudo-collisions for MD5 (see Question 2.1.6). More recent work by Dobbertin has extended the techniques used so effectively in the analysis of MD4 to find collisions for the compression function of MD5 [DB96b]. While stopping short of providing collisions for the hash function in its entirety this is clearly a significant step. For a comparison of these different techniques and their impact the reader is referred to [Rob96].
http://www.rsasecurity.com/rsalabs/faq/3-6-6.html

Also from RSA:

3.6.5 What are SHA and SHA-1?

The Secure Hash Algorithm (SHA), the algorithm specified in the Secure Hash Standard (SHS, FIPS 180), was developed by NIST (see Question 6.2.1) [NIS93a]. SHA-1 [NIS94c] is a revision to SHA that was published in 1994; the revision corrected an unpublished flaw in SHA. Its design is very similar to the MD4 family of hash functions developed by Rivest (see Question 3.6.6). SHA-1 is also described in the ANSI X9.30 (part 2) standard.

The algorithm takes a message of less than 264 bits in length and produces a 160-bit message digest. The algorithm is slightly slower than MD5 (see Question 3.6.6), but the larger message digest makes it more secure against brute-force collision and inversion attacks (see Question 2.1.6). SHA is part of the Capstone project (see Question 6.2.3). For further information on SHA, see [Pre93] and [Rob95b].
Source: http://www.rsasecurity.com/rsalabs/faq/3-6-5.html

michael

I would also like to add:

YOu should not half-work this. If you're going to do this, do it all way.

SHA-1 is just one link in the chain. But if you're going to do it, might as well do it right. There's no point in keeping any security if you store the passwords in an easy to read format.

The least you can do is make it a pain in the a$$ for a potential data thief, and convince them to move to the next site, even when you're not around.

I hope this helps.

Weedpacket

Originally posted by michael

MD5 is not meant for storing passwords. It is possible to procure a list of possible passwords from a MD5.

Although it involves doing a brute-force search of possible passwords.

So it will have a hard time figuring out what password hashes to this (even though it's only four characters).

752538cb668d10125174150f45892802