making secure login more secure....

ralphuk100

I have been looking at this:

http://www.phpbuilder.com/columns/tim20000505.php3

and apart from needing a bit of butchering for php4 it looks pretty secure. However, I was hoping for some suggestions on how to make it more secure... reading the comments people have suggested using a stronger key on md5 (I think thats what they mean). How would I go about implementing this?

Does anyone have any other ways of making this virtually uncrackable? fair enough a hash can be decrypted, but if the key is like 128/256 bit it would take so long as not to be worth it. The package it is for would be mostly on dedicated servers, the occasional shared hosting, so in the majority - and all of the sites that need to be secure - only myself would have root access to the server, which I noticed could be a loophole (on shared hosting anyone with root access could get the db login details).

Also - I know this is not secure enough for financial details, and at the moment it does not have to be. But where do I find information on making login and security scripts that are secure enough for this kind of sensitive material? As someone has commented on that article, using SSL is no substitute for bad code, it just protects the transaction path. Any help would be greatly appreciated. I just dont know what to search for on google to get the results I want.

portaloo

ok md5 cannot be cracked except by a big computer with plenty of processing time and power, however, there are lists, in the hands of crackers and hackers, of thousands if not millions of passwords that have been md5'd that will enable these people to eventually get into your system.

this is where a salt comes in, adding another word to the password then md5 ing it will make this harder.
another way is to take the password given, add the salt, split it up, rearrange the parts join them together and then md5 it, just make sure you follow the same procedure when submitting the password when someone logs in otherwise you will get a password error.

also make sure that your password field is 32 characters long. any shorter than this and your password will not match as md5 produces a 32 bit combination of letters and numbers.

you could also insist that users have a combination of letters and numbers to make the process harder for hackers.

hope this helps

ralphuk100

Im guessing I can find info on salt in the php manual? (I am not usually involved in security of websites but this is for my own project so I have to learn).

Even though my password field will be 32 characters long I'm guessing the user does not need a 32 character password? Thanks.

It was a great help. Do you know where I can read up on adding a more secure encryption key? Its obviously not necessary but I'm interested in it.

portaloo

Hi Ralph,

you're best off going to google and searching their for info, i generally use php builder and hotscripts, they have heaps of tutorials and most are informative.

Nope user passwords can be any length, md5 will automatically change it to 32 bit.

hope you are having as much fun as i am with php cos asp sux

ralphuk100

So u mean make the DB password field 32 characters right.

Thanks for the tips - I use hotscripts quite a lot - just usually for snippets, not tutorials etc.

I am having a lot more fun with php (I am an ASP convert).

I am going to have to start from scratch anyway I think as the source code for that secure login is php3 and I get loads of errors on php4.