want to learn about passwords/security

jacksonpt

My office has recently asked me to develop a blog application. The coding and back-end work I can handle without much trouble. The thing I'm not sure about is the security end of it, as I've never done anything that needed any real security. I can setup a simple log-in with username/password front end - that's pretty straight forward. What I'm not sure about is how to keep that secure... i.e. how to secure that trasnfer of data, and how to replace the password characters entered into an HTML form with asterics... those types of things.

The app will be HTML/CSS/PHP/MySQL from start to finish, run on an XP/Apache box. Anyone know of a good place for me to start reading? Any tips from those of you who have been here would be great.

Thanks in advance.

jayant

in HTML if you have <input type="password"> instead of <input type="text">, you can be assured that those asterisks come instead of text when typing.

for security:
when the user submits the form using javascript, read the value of the password, encrypt it using an implementation of MD5 in javascript and submit only the encrypted password and not the real one to the form.

when u store the password in the database, dont store the password directly, encrypt it using MD5 and store that value.

compare the encrypted password sent and encrypted password stored.
NOTE: this is only a simple one and lot of enhancement can (read "should") be done to create a securer system.
also note, you will not be able to tell the user his old password incase he forgets that, so you will have to give him an option to set a new password instead of telling him his old password.

goldbug

Look into using SSL to secure the site. (Eliminates need for aforementioned (and unreliable) javascript encrypting)

Sxooter

If you want to check the passwords for security, look at cracklib. You gotta like any option to PHP that has the configure switch of --with-crack... 🙂

Jason_Batten

I was just over at sitepoint and found this: http://www.sitepoint.com/article/php-security-blunders

It is a new article 🙂, might help.