General improvements needed please!

Teach

Hi there guys.
I hope you can assist me please.

I would like to first mention that this post is not a 'problematic' piece of code, it works - however I wanted some feedback, or changes you'd make if this was your code to make it a bit more efficient (I'm sure there's things I've done wrong!)

To clarify, this is a login-script and a utility for visitors to change their passwords. We are not using a sql database, it is a flatfile database which is one of our requirements, it's in a completely different directory that's not accessible through the htdocs, and PHP has permissions for it. For us, it works well and it's what we need to stick to.

Okay! Here goes.

First up, the actual 'users.txt' is where our usernames and passwords are stored. The usernames are in plain-text, but the passwords are md5 hashes.
They are aligned like:

user,md5password

We have a HTML login form which submits to a 'login.php' which is shown below:

Code removed.

On all our .php files that are which are protected (which means they have to be logged into see the file), we use a simple include_once for protect.php, which is shown below:

Code removed.

Next, we have a HTML form that submits to a 'pass.php', which updates the user's password. It checks their current password matches the one stored in users.txt, makes sure the new and confirmed passwords match, and that the new password is not the same as the current one. Here's pass.php:

Code removed.

Last up, logout.php:

Code removed.

THANKS.

Teach

Any suggestions please? :bemused:
Thanks.

stew

firstly... i'd not use md5... try sha-1 or something like that... and use a salt aswell

http://uk2.php.net/manual/en/function.sha1.php

other than that it looks ok to me... but i have no idea about efficiency of it!

Teach

Okay thanks for that. I'll look into that.
As mentioned, it works absolutely fine but wondered if others here would spot ways to slimline stuff or improve on it. So please any feedback you have please supply it - I'd be very grateful.

Many thanks guys!

bbreslauer

First, I'd have to recommend md5 and not SHA-1 (sorry stew), as it has been shown that SHA-1 can be hacked, and it was just announced that a faster hack of SHA-1 has been created (http://it.slashdot.org/article.pl?sid=05/08/18/2247245&tid=93&tid=172).

The users.txt file should have the minimum permissions needed to still be workable. Assuming you're using a *nix system, I would recommend making sure it has 600 permissions, realizing that the PHP user is the owner of the file.

In login.php, the exit; command near the end (after setting the SESSION variables and cookies) is superfluous; since all the code afterwards is within the else statement, it won't get executed no matter what, and the interpreter is smart enough not to waste time on that code.

I would suggest using a require_once instead of an include_once on all your protected pages, as the include statement will only warn if it can't find the file, and require will return a fatal error. Because if this, if your protect.php file were moved or deleted, and a file couldn't find it, the include_once would display the protected page, whereas the require_once would not. This is a fairly big security risk.

Your function output_error is used in multiple places. If it is exactly the same code in all those places, then I would recommend creating another page (functions.php) and putting that function in that file, and then including that file in all the other pages. Or you can put it in a page that's included in every page already. This way, if you need to update the function for some reason, you only need to do it in one place. Plus, you save disk space only having the code in one place.

In pass.php, I'm not exactly sure what the $__pass variables are (I'll assume you do, though :-P). I'm assuming that $nowpass is the entered current password, to make sure that they know their current password. Assuming this, at one point you check to see if $POST['nowpass'] == $_POST['newpass']. All this does is see if they typed the same password in three times (in nowpass, newpass, and newpass2), not if their current password (in users.txt) is the same as the password that they're trying to change it to. I'm not sure if this is what you want to do, but it seems to me that you'd want to check it against the users.txt password, not the entered password.

Unless you have a good reason not to do this, I would recommend using relative paths, opposed to absolute paths, as it makes your code much more portable. Of course, you probably shouldn't do this when opening the users.txt file, but for other files, like header.php and footer.php, this would mean that if ever have to move the code to another machine, it will be much eacher.

Teach

Hi there!
So many thanks for the big post and all the suggestions. I really appreciated that!!!

bbreslauer wrote:
First, I'd have to recommend md5 and not SHA-1 (sorry stew), as it has been shown that SHA-1 can be hacked, and it was just announced that a faster hack of SHA-1 has been created (http://it.slashdot.org/article.pl?sid=05/08/18/2247245&tid=93&tid=172).

Yes, I just did the same and noted some bad so for the time being I'll take this advice and stick with MD5 - thank you though!

bbreslauer wrote:
The users.txt file should have the minimum permissions needed to still be workable. Assuming you're using a *nix system, I would recommend making sure it has 600 permissions, realizing that the PHP user is the owner of the file.

That's already in place, I have just checked it too - thanks.

bbreslauer wrote:
In login.php, the exit; command near the end (after setting the SESSION variables and cookies) is superfluous; since all the code afterwards is within the else statement, it won't get executed no matter what, and the interpreter is smart enough not to waste time on that code.

Removed that, thanks!

bbreslauer wrote:
I would suggest using a require_once instead of an include_once on all your protected pages, as the include statement will only warn if it can't find the file, and require will return a fatal error. Because if this, if your protect.php file were moved or deleted, and a file couldn't find it, the include_once would display the protected page, whereas the require_once would not. This is a fairly big security risk.

I really hadn't realised that! I've changed them all to require_once - thanks for letting me know about the possible security aspect of that!

bbreslauer wrote:
Your function output_error is used in multiple places. If it is exactly the same code in all those places, then I would recommend creating another page (functions.php) and putting that function in that file, and then including that file in all the other pages. Or you can put it in a page that's included in every page already. This way, if you need to update the function for some reason, you only need to do it in one place. Plus, you save disk space only having the code in one place.

It's only used in about very small amounts of the site and we don't use a functions.php for anything else as things are pretty much unique page-wise - if we used it quite a bit more I'd consider that.

bbreslauer wrote:
In pass.php, I'm not exactly sure what the $__pass variables are (I'll assume you do, though :-P). I'm assuming that $nowpass is the entered current password, to make sure that they know their current password. Assuming this, at one point you check to see if $POST['nowpass'] == $_POST['newpass']. All this does is see if they typed the same password in three times (in nowpass, newpass, and newpass2), not if their current password (in users.txt) is the same as the password that they're trying to change it to. I'm not sure if this is what you want to do, but it seems to me that you'd want to check it against the users.txt password, not the entered password.

Sorry, I should've explained that bit.
Okay, $nowpass is what's compared against users.txt - this is what the current password.
$newpass and $newpass2 are going to be the new password, the HTML form gets them to input this new password twice to confirm it. In that sense, is it okay?

Unless you have a good reason not to do this, I would recommend using relative paths, opposed to absolute paths, as it makes your code much more portable. Of course, you probably shouldn't do this when opening the users.txt file, but for other files, like header.php and footer.php, this would mean that if ever have to move the code to another machine, it will be much eacher.

Okay, thanks I'll do that now!

Thanks again; I truly appreciate it.

bbreslauer

Just regarding pass.php, what you're currently checking for in the script is to see if the entered current password is the same as the entered new password. What you'd probably want to do is md5 the entered new password and check that against the old password in users.txt, to see if the new password is the same as the (real, not the one entered in the form) old password. Though, this may not matter, because you do check later on that the entered old password is the same as the one in the users.txt file.

Teach

Hi again, thanks for the continued support.

If it's this->

if ($_POST['nowpass'] == $_POST['newpass']) { 
    output_error('<li>Your old and new passwords appear to be the same.  Please use this facility to change your password.</li>'); 
}

-> bit you mean, then yep that's intentional. We don't want the person to be able to use the password changer to change their password to the same one that they already have.

Or is it something else you mean, sorry? 🙂

Thanks.

bbreslauer

Yeah, that seems good. I hadn't seen a bit of the code the first time, which made me think it wasn't actually checking the correct password. But I was wrong.

Overall, the code looks pretty good.

Teach

Okay that's good to know - many thanks for your suggestions and view. 🙂

Question for you if you don't mind....as you can see, when people are successfully authenticated they are set the 'logged' session.
Is there a way we can create an 'online.php' that will tell us who is currently logged in and their session age? 🙂

Thanks.

laserlight

First, I'd have to recommend md5 and not SHA-1 (sorry stew), as it has been shown that SHA-1 can be hacked, and it was just announced that a faster hack of SHA-1 has been created

Um, I think you didnt notice that MD5 got hit too - both MD5 and SHA1 are from the same family, after all.

However, the attacks on both MD5 and SHA1 are collision attacks, not pre-image attacks. For this to work on hashed passwords, you have to know the original password, where your intention is to create another password that hashes to the same hash as the original password. Since the original password should not be known anyway, the attack doesnt work.

Still, SHA1 should be preferred over MD5 considering the larger number of possible hashes, slower hashing speed and the fewer resources currently in existence to exploit poor use of it.

bbreslauer

Yeah, I didn't notice that. Thanks for telling me!

I guess you could do a double or triple md5 or sha-1 hash, where you pass the output of the first hash into the hashing function for a second time.

As far as I know, there's no way to know who is logged in at a specific time through the use of SESSION variables. The way phpBB and others like it do that is they log all page views, and then say that the person is viewing for 5 minutes past that (so they would be displayed as viewing for 5 minutes, and if they don't refresh the page, then they'll be taken off that list). I don't think you can actually take people off of that type of list unless the proactively log out, since many people just close their browser window, and the browser doesn't send any information to the server.

halojoy

laserlight wrote:
Um, I think you didnt notice that MD5 got hit too - both MD5 and SHA1 are from the same family, after all.

However, the attacks on both MD5 and SHA1 are collision attacks, not pre-image attacks. For this to work on hashed passwords, you have to know the original password, where your intention is to create another password that hashes to the same hash as the original password. Since the original password should not be known anyway, the attack doesnt work.

Still, SHA1 should be preferred over MD5 considering the larger number of possible hashes, slower hashing speed and the fewer resources currently in existence to exploit poor use of it.

It should be noted that

[man]sha1[/man]
uses 40 characters (or more! upto 256, I think) to store encrypted string

while
[man]md5[/man]
normally, kinda like the standard in very many open source freeware, uses 32 characters

This is no problem when writing your own scripts from scratch
but should be checked out and can often need to be changed,
if Database Fields used for encrypted password (or other cryptic info)
has been set to 32 characters string for storing md5 password

I will also use SHA1
if I should ever need to use encrypted passwords in future.
Seems like those knowing these things prefer this SHA1 method, for several resons
like mentioned here already.
Also hackers knows better how md5 works and can more likely crack md5
even if this is no easy task to do ( requires very much CPU data power )

I read a blog article, that some joint Japanese gang, has managed to crack SHA1 once already!
But for normal hacker huligans, the enormous amount of computer power these boys had,
is out of reach ....... so will take many years to crack SHA1.
By the time that passwords will have been changed many times
if website still exists, where they are used ......

Time and Raw CPU power is what can decrypt most anything.
This is reason, you in serious scripts and applications
can often specify how long time intervall a password will be valid,
before it has to be changed.

The more often admins/users have to change password,
the less chance to crack into your stuff
😃

/halojoy - noone has, yet, cracked his passwords in plain flat files and totally un-encrypted!
🆒

hard to do, if you can not even access halojoy well secured data files
at his Apache
and so get to these plain open clear text user passwords

🙂

Weedpacket

bbreslauer wrote:
I guess you could do a double or triple md5 or sha-1 hash, where you pass the output of the first hash into the hashing function for a second time.

This would actually weaken the hash against direct attack, and would only prevent brute-force attacks for as long as the attacker is unaware of the multiple iterations. The reason it would be weakened is because there are fewer possible strings that the second and subsequent hashes would ever see - increasing the chance of collision.

halojoy wrote:
sha1
uses 40 characters (or more! upto 256, I think) to store encrypted string

while
md5
normally, kinda like the standard in very many open source freeware, uses 32 characters

It would be more useful to refer to the number of bits in the hash, instead of getting hung up on cosmetic stuff like the character set used to represent it. MD5 (RFC1321), for example, is a 128-bit hash, while SHA1 (RFC3174) is a 140-bit hash. Then there's SHA224, SHA256, SHA384, SHA512 ... (where the number of bits is indicated in the name).

halojoy wrote:
I read a blog article, that some joint Japanese gang, has managed to crack SHA1 once already!

It was a Chinese team, and it was the collision attack laserlight referred to above.
http://theory.csail.mit.edu/~yiqun/shanote.pdf.

bbreslauer

Weedpacket wrote:
This would actually weaken the hash against direct attack, and would only prevent brute-force attacks for as long as the attacker is unaware of the multiple iterations. The reason it would be weakened is because there are fewer possible strings that the second and subsequent hashes would ever see - increasing the chance of collision.

Well, if the original password was fewer characters than the hash function, wouldn't that increase the number of possible strings that the second and subsequent hashes would ever see? Obviously, the comment was meant with regards to a brute-force attack, but what do you mean by a direct attack?

Teach: sorry this seems to have gotten off-topic.

Teach

bbreslauer wrote:
Teach: sorry this seems to have gotten off-topic.

No problems! 🙂
Quite interesting to read about all the different security aspects of the hashes.
Still trying to figure out the 'Additions..' thread I created, no luck yet. 🙁 back to work! hehe

Thanks.

laserlight

while SHA1 (RFC3174) is a 140-bit hash.

tsk tsk, SHA1 is a 160-bit hash.

Well, if the original password was fewer characters than the hash function, wouldn't that increase the number of possible strings that the second and subsequent hashes would ever see?

No, it doesnt. Remember that the input of the subsequent hashes would themselves be eventually based on the original input. Effectively one can combine the processing of the multiple hashes into a single hash function.

bbreslauer

laserlight wrote:
No, it doesnt. Remember that the input of the subsequent hashes would themselves be eventually based on the original input. Effectively one can combine the processing of the multiple hashes into a single hash function.

Well then, how is triple-DES so much more secure than (single) DES? I realize it's a two-way encryption vs one-way hash, but I wouldn't think that would matter.

And, while one can combine the processing of multiple hashes, it will still lengthen the amount of time required to find the input, which is most of what encryption is: reducing the possibility that someone else can find the same key.

laserlight

Well then, how is triple-DES so much more secure than (single) DES? I realize it's a two-way encryption vs one-way hash, but I wouldn't think that would matter.

3DES consists of 2 DES encryptions with a decryption sandwiched in between, but then because of it is a Feistel network the decryption is similiar to the encryption. That, and the algebraic structure of DES (it is not a group) allows for 3DES to be stronger than DES.

And, while one can combine the processing of multiple hashes, it will still lengthen the amount of time required to find the input, which is most of what encryption is: reducing the possibility that someone else can find the same key.

I think you're confusing cryptosystems with cryptographic hashes. Encryption assumes that the key is secret, and tries to hide the message as long as necessary. Cryptographic hashes may be used in cases where the input is known, but needs verification that no alterations were made. In this case the input should be secret, but effectively creating a new hash function does not necessarily make it more secure, and may even introduce weaknesses.

Disclaimer: I'm neither a mathematics nor cryptography expert, so what I say may well be inaccurate or even misinformation. You have been warned.

Weedpacket

4, 6, hey; it's dark in here. Point is that it's a better standard of comparison. I gave references 🙂

bbreslauer wrote:
Obviously, the comment was meant with regards to a brute-force attack, but what do you mean by a direct attack?

Erratum: I wrote those back to front. Brute-force you know, and that's the one that would be weakened by multiple MD5's (you don't really care what you get so long as you get something with the same hash; not only do you have the collisions inherent in MD5 itself, which won't go away; but there might be pairs of MD5 hashes that have the same hash).

The direct attack is simply to break the MD5 algorithm itself. Once you've done that it's effectively trivial to break MD5(MD5()), MD5(MD5(MD5())), .... you just do the same thing as often as necessary.