Storing Passwords - MD5 or not?

Sharif

What do you guys prefer doing, or recommend? What is more secure? Storing users password as an MD5 has or does it not matter?

helz

one important thing to remember is that do you just want a secure member section by encrypting the passwords or would you prefer that you could add the option "Forgot Your Password?" where it emails out the password to the members email so that they can login again.

As for me, i encrypt the password and then when the user logs in you encrypt what they typed in and test it against the md5 hash in the db to see if they match.

Drakla

I'm absolutely with Helz on this. Store it as an md5 and if they forget their password then email them a generated temporary one.

You'd probably not be surprised to know that loads of people will sign up for messageboards with the same email and password set they've use in real life so md5'ing it up reduces security risks.

Sharif

I currently use MD5 to store my members' passwords. I was creating a script for a client who requested a "Password Reminder" feature, and since MD5 is a one way hash, it was hard to do. I did come up with a solution, where I make a random text string, MD5 it, store it in the database, and use the string to remind the user.

drawmack

I store my passwords encrypted with tripple-des. That way I get the best of both worlds. However, you'll have to write you encryption scheme in a compiled language and you'll have to come up with a key change management system.

Sharif

what is tripple-des?

drawmack

http://www.google.com/search?hl=en&lr=&ie=UTF-8&q=triple+des&spell=1

superwormy

PHPs mcrypt functions might be something to look at, as well as MySQLs built-in encryption functions.

nasty_psycho

I personally, used on my website the following system :
the password are stored in the db in md5 format , and when a user forget his passowrd he can reset it by answering the secret question he entered on the registration.
And I think this is the best solution, because it is used by most professional webservices .

drawmack

Originally posted by nasty_psycho
And I think this is the best solution, because it is used by most professional webservices .

Well being used by the most people doesn't mean it's the best solution. It's a widely used method because it's simple. That doesn't mean it's the best or even the most secure.

helz

for most secure you can add a checkbox where people can check it if their ip is dynamic and leave it if its static so if its left then add their ip into the db to add a further check for when they want to login.
please post extra little tit-bits that can make it more secure so that we can improve our own login scripts 🙂

drawmack

use this code on your login page or any other page where you want to accept data securely.

NOTE: For this to work you will need a secure certificate set up on your site.

<?php
//https uses port 81 by default this may need to be changed
//on your web server.
define('HTTPS_PORT',81);

//if the person is not connected to our page securely
//we redirect them to https.
if(!is_https()) {
    //underscore added because phpbuilder puts url tags 
    //around the ht_tps://
    header('Location: ht_tps://' . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF']);
} //end if

//This function checks to see if we are running an
//https connection by port
function is_https_port() {
    //are we using an https connection
    if($_SERVER['REMOTE_HOST'] == HTTPS_PORT) {
        return TRUE;
    } else {
        return FALSE;
    } //end if
} //end is_https
?>

drawmack

Originally posted by helz
for most secure you can add a checkbox where people can check it if their ip is dynamic and leave it if its static so if its left then add their ip into the db to add a further check for when they want to login.
please post extra little tit-bits that can make it more secure so that we can improve our own login scripts 🙂

Even with a dynamic IP almost noone will have a dynamic getnamebyaddr.

<?php

function getUsersCompName() {
    return gethostbyaddr($_SERVER['REMOTE_ADDR']);
}

?>

the problem with both of these methods is people who use multiple computers on various accounts. For example from school my computer name is je2885.esu.edu from home is it not that. I could not visit your site from both places with this method.

helz

aye, was only an idea. ill probobly just stick with the md5 thing, seems to be okies for the moment

Sharif

no security certificate 🙁

helz

good point, so if you used https then to make your users happy you'd have to get/purchase a security certificate? im guessing one of the security guys checks your site to make sure its safe?

drawmack

no a security certificate holds the encryption key for your site. There are service places that sell them. so that you have a trusted key. Verisign is the biggest one.