My unsecure login script!

XeRoZeN

I was gonna post this earlier but I was double checking if I had to do anything special if I was posting a code 😛

if($_POST['Username'] and $_POST['Password']) {
   $U = $_POST['Username'];
   $P = $_POST['Password'];
   $P = md5($P);
   $query = "SELECT * FROM login WHERE ";
   $query .= "Username = '".$U."' and Password = '".$P."'";
   $result = mysql_query($query, $sql);
   if(mysql_num_rows($result)) { echo("Your password works"); } 
   else { echo("Your password or username is invalid."); exit; }
}

I'm wondering if I should post this in the critque instead but I need some suggestions on encrypting it more..even thought this script works. I was thinking on making my script generating a MD5 thing about 100 times and then finally query it in MySQL. Then I figured if it was a hacker he would just decrypt it 100 times. (If decrypting a MD5 is possiable which I think it is..) Also I'm planning on making this script e-mail me everytime the ip to my account is different. This won't spam my e-mail box because my IP rarely changes and I'll be the only one to be logging =D but first I need some suggestions on securing my login script a bit more..(still wondering if this belongs in the critques forum)

PyroX

1) If they want in bad enough, they'll get in.
2) Your example is widley used, and commonly approved.

For someone who wants to "break in", it does not matter if you MD5 it 1,000,000 times, if they grind the password using your form input, it will do the same action and have the same outcome.
If a user has a password of "apples", they will get in via brute force no matter how many times you MD5, (and BASE64, SEED ENCRYPT, etc, etc) it.

Reverse grinding the passwords from the table might be a tiny bit harder, but then again, if they have access to the table, it does not really matter does it.

What you do next is more important IMO, that is, what you do once you know the user is ok to sign on.

mw-dnb

simple answer to stopping people from hacking your box with brute force.

setup another table like:

auth_temp_table

allow a user 5 tries to login then deny the ip / host name/mask access to the page for hammering.

simple setup with sessions / db table.

you could also setup rules for your passwords:

example: password must contain 2 numbers, 3 alpha charecters and 1 punctuation and must be at least 8 charecters long.

XeRoZeN

Thanks but I'm still wondering about some security tweaks for my login script.

PyroX

If they want in bad enough, they will get a new IP as many times as it takes. Some grinders can be setup to hangup and redial the ISP every X tries. Block a subnet and lose real users as well.

A better idea, is to simply shut off that username when 5 failed attempts are made. ( do not use IP ). Send an email to the user letting them know what happened, and what steps to take in order to get back up and running. They can continue to grind the password, but will always get a "failed" response, causing the grinder to keep on hammering for nothing. ( Keep them in the dark, offer as little info as possible ).

Password rules are an excellent step. My advice: don't over-cook it. Requiring overly cryptic passwords, while a good idea, is a pain for you users.

PyroX

Originally posted by XeRoZeN
Thanks but I'm still wondering about some security tweaks for my login script.

The portion of your logon script that you have shared is fine, read the posts here to get more ideas on authentication security.

Only other thing I would suggest, is protecting your vars to prevent against SQL injection. You can use the command escape function, or try to watch for ; and , and `, whitespace, etc. Limit your password and username chars to [0-9][A-z] if you want to get real anal about it.

XeRoZeN

I was already thinking about making my script give people 3 attempts. And there won't be any other user besides me =D

mw-dnb

Originally posted by PyroX
If they want in bad enough, they will get a new IP as many times as it takes. Some grinders can be setup to hangup and redial the ISP every X tries. Block a subnet and lose real users as well.

A better idea, is to simply shut off that username when 5 failed attempts are made. ( do not use IP ). Send an email to the user letting them know what happened, and what steps to take in order to get back up and running. They can continue to grind the password, but will always get a "failed" response, causing the grinder to keep on hammering for nothing. ( Keep them in the dark, offer as little info as possible ).

Password rules are an excellent step. My advice: don't over-cook it. Requiring overly cryptic passwords, while a good idea, is a pain for you users.

this would work great to if they didn't brute force usernames too.

i.e. look at porn site password crackers, they will generate usernames and passwords, if ran all night, every single user you have could get reset and then no one could log in without going through another process you have setup - which could still be hacked to re-enable the accounts anyways.

That is why you block by host mask - I.E.

..aol.* for example.

meaning it blocks all connections from that host aka AOL. Or you could block just part of the host

mysegment..aol.

or the node .mynode..aol.*

once you block their connection, as long as they don't go through an open proxy and keep jumping around on them you will block them.

i have had to deal with this issue on my site since we tend to have unruley users that come on the site and start trouble, the best way to get rid of them is denial via host mask.

XeRoZeN

Alright so you guys suggest that I allow only 3 login attempts and then it bans the IP? Because if I get the login attempt wrong 3 times I can just go to the MySQL Database and unban myself. Hmm..maybe I should block every hostmask besides mine. So how would I get people's hostmask and ip? Btw you guys sound like professional hackers hahaha thanks for all the help guys I appreciate it 🙂

PyroX

If your server is setup to lookup addresses, it will get it for you.

If not, you would need to use a tool to do a reverse DNS lookup ( nslookup )

$hostinfo=nslookup ... ....;

Or just use the browser and remote address to make a key and use it. Less fancy but not bad imo.

$key = md5($SERVER['REMOTE_ADDR'].$SERVER['HTTP_USER_AGENT']);

XeRoZeN

Thanks! I'll post further questions after I test it out 😃 If you have any more suggestions feel free to post please I could use a bit more.

Alright, I've been messing around with this but I haven't designed a way to block addresses yet. I'm still figuring out a way to give 3 attempts then quit.

"$key = md5($SERVER['REMOTE_ADDR'].$SERVER['HTTP_USER_AGENT']);" I don't understand what I'm sopose to do with that but I'll keep thinking lol

Alright I have implemented the "3 Chances" Feature! All I need to do is ban all ips except mines.

dalecosp

Originally posted by XeRoZeN
Btw you guys sound like professional hackers hahaha thanks for all the help guys I appreciate it 🙂

All right now ..."hackers" are good guys, right? Unn huh? Understand?

Those bad guyz are called "crackers" ... i.e., "loony", etc.

XeRoZeN

Jeez I learned many new things here already 😛 Hey guys I'm having a problem with session_cache_expire(); its not expiring it just stays there. I did what PHP.net told me to

session_cache_limiter('private');
session_cache_expire(2);
$cache_expire = session_cache_expire();
session_start();
echo $cache_expire;

When it echos I get 2 and when I refresh after 2 minutes nothing happens it just shows 2 again. Could it be my php.ini?..hmm damn I really need to get a webhost lol..

XeRoZeN

I got the ban snippet going..

$ban_check = "SELECT * FROM ban;";
$ip = mysql_query($ban_check, $sql);
$ip_result = mysql_fetch_array($ip, MYSQL_NUM);
if($ip_result[0] == $_SERVER['REMOTE_ADDR']) { exit; }

Should I turn this into a function? I tried setting it a function but MySQL wouldn't cooperate with me...I would make it ban all IP's but mine but seeing the way I change my IP like every month that would be tiring. Got any other ideas for more security?