[RESOLVED] encrypted passwords and user edit form

sneakyimp

rather than just storing my user's passwords, i store an MD5 hash instead.

$sql = "select * from users where user='username' and pass='" . md5('password') . '";

what i'm wondering is how to handle the user edit page where an admin can update a user's information. if i put a password input field on the form, i cannot pre-populate it with the password because i literally do not know the password. should i just leave it empty and only change a user's password if the admin actually enters something in there? that worries me a bit because my admins might not be the brightest folks and it might confuse them.

ideally, the password field would appear to have something in it but that something should NOT EVER be confused with a real password.

how do people usually handle this?

Horizon88

The way I do it is leave them blank, and then put an abbr or acronym tag like:

Password [<abbr title="Enter twice to make new password, leave blank to keep the same.">?</abbr>] <input type="password" name="formPasswd" /><br /><input type="password" name="verifyPass" />

Or, you could do a link that takes them to a page only for changing the password, so they need to consciously click "change password".

Out of curiosity, do you salt your MD5 hashes?

sneakyimp

thanks for your response

what is that abbr tag? never seen that before.

in this case, i'm not salting anything. if i'm really concerned about security, i use sha1(). could you explain about salting? i'm familiar with the concept of salting but am curious about why it should be done.

Horizon88

The abbr tag is used to show abbreviations on line, such as PHP: Hypertext Preprocessor. Instead of typing that all out, you'd do <abbr title="PHP: Hypertext Preprocessor">PHP</abbr>. Similar with the <acronym> tag.

Salting is good because it only takes an extra line of code and makes your hashes virtually unbreakable.

Say somebody uses SQL injection, cookie exploitation, or a server exploit, and they get into your database. You've got a bunch of MD5 hashes in there - passwords, credit card numbers, maybe, social security numbers, whatever. They download them all. They pull up a rainbow table of MD5 hashes, or a dictionary attack. Now, without salts - they can get the MD5 hash of say, "password", with one of those attacks, fairly easily. So what you do is salt the md5 hash, so instead of it being stored as "password" in md5 hash, it gets stored as 'salt' . 'password'.

Liike so:

<?PHP
// salt demo
$mySalt = 'eab4c03a8d7b938cf563270581b1218a';
$userPass = 'password';
$databasePassword = md5($mySalt . $userPass);
// database query to insert their password here.
?>

Then you save $mySalt in a php file and include it on your login authentication page. Every time they enter their password, you prepend the salt to it before you hash them, then check that against the database. That makes it impossible for a dictionary attack, and most rainbow table attacks, to succeed, because the chances of an attacker having 'eab4c03a8d7b938cf563270581b1218apassword' as a plaintext in their dictionary is practically impossible, and it's unlikely even the NSA would have the computing power to generate rainbow tables for that length.

🙂

NogDog

I typically provide a password field and a password confirmation field, plus a "change password" checkbox field. Then I only change the password if the checkbox value was received and do the usual validations on the two password fields. To improve the user interface a bit, you could add a little JavaScript to disable the two password fields on page load, then enable them if the checkbox is checked.

sneakyimp

thanks horizon for the explanation and especially the code. i think i understand. there are a number of ways that one can obtain the password hash. i believe phpBB stores this value in a cookie when you click 'remember me on future visits' as you login. if this cookie is transmitted as plain text, a packet sniffer might pick it up somewhere. salting doesn't really protect against that i suppose because that cookie value is a direct match to the db (regardless of salt).

but yes in the case where one has obtained a $hashed_password it is possible to find a $text_string where md5($text_string) = $hashed_password. you can then just pop over to a login page and enter $text_string to log in - UNLESS you salt in the md5 step as you described because md5($text_string . $salt) != $hashed_password.

NogDog - good advice there. I'm definitely going to do that.

THAnks.