Secure password exchange

hwttdz

What's the simplest method for some sort of password authentication system?

If you do crypt() does that happen on the client machine or on the server? because if it happens on the server does it really have any use?

thorpe

everything in php happens on the server. if your worried about your data in its travels, you would need to look into ssl.

justsomeone

Just to expand slightly.

using php to encrypt a password when it is received prevents the password being compromised if someone with evil intent gets access to the server.

If you want to encrypt the password before it leaves the client, so that no-one can snoop on it, you have a couple of options, of which the most straightforward is to use a HTTPS connection. Using this method, any form data is encrypted as it passes from the client to the server, and is decrypted before your application gets it. So your code can ignore all of this process and just get the plaintext password as normal. It's still good practice to md5 it or something before you save it anywhere.

One word of warning on SSH, naive users can still be caught out by a man in the middle attack. This is where any request which a client sends to you is routed through a third party. This could be a malicious site with a url similar but slightly different to yours, or could be done by a dodgy proxy server.

In the above case, the request goes from the client to third party and from the third party to you. It looks fine to you and it looks fine to the client, but the "man in the middle" could be reading everything which goes on.

More savvy clients can detect this through careful examination of the secre (SSL) cert which is needed for the HTTPS connection.

hwttdz

Can you point me to a good set of instructions on how to set up a secure ssl server right now I'm using http://localhost/sitename so I guess I want something like https://localhost/sitename the other method I'm considering it to distribute a small application that dynamically generates the password and have the site dynamically generate a password as well, so then to logon all you have to do is generate a password and copy and paste it into the box in the next 30 seconds or so. Does that sound reasonable?

hwttdz

Another thing, is there a way I can see all data that goes over a connection? For the purposes of checking my server is set up in the localhost format.

justsomeone

I wouldn't go reinventing the wheel. Use SSL.

To set up SSL (the transport mechanism over which HTTPS travels) you will need to get a Secure Certificate from a recognised Certification authority. That can take a little time. For test purposes you can create one yourself, but this doesn't work great in "live" environments as your visitors will get a warning saying "This site uses a secure cert from an untrusted authority" or something like that.

If you do buy a cert, they should talk you through the process of installing it...

One place to buy ( this is not a recommendation, I just found it on the web):
rapidssl.com

You might also like this: BigNoseBird's SSL guide

If you want to see all data over a connection, you could try using a packet sniffer. But I don't think that this will ba bale to read a secure connection.