I'm building a web app that will include (amongst other things) a front-end for Bugzilla. I had a look at the Bugzilla database and Perl code, and they encrypt passwords before entering them in the database.

Should I always do that? There's no sensitive information there. Is there some "standard" way people encrypt passwords before storing them in databases?

Thanks,

Antun

    So am I right in saying that BEFORE I store the password in the database, I encrypt it using:

    $encryptedPasswd = md5($origPassword);

    Then whenever I want to validate the user, I say:

    if (md5($userInput) == $encryptedPassword) {
    printf("Verified!");
    }

    That's great, but it's not what Bugzilla used at all. They did this:-

    if (crypt($userInput,$encryptedPassword) == $encryptedPassword) {
    printf("Verified!");
    }

    Basically they used the value from the database as the salt. I could not get this to work in PHP.

    Thanks,

    Antun

      You should endrypt passwords before going into database because you don't want the responsibility of knowing ppl's passwords, especially when many ppl use the same password for many logins.

      Anyway, to crypt:

      $encryptedPassword = crypt($passwordString);

      crypt() will generate it's own random two character salt, and prefix $encryptedPassword with it.

      To compare new password with original:

      if (crypt($newPassword,$dbPassword) == $dbPassword)
      {
      // Verified
      }

      Remember that the encrypted password has the two character salt in front of it. So, here, the crypt function will take the first two characters from $dbPassword to encrypt $newPassword.

      Hope this helps.

        As a note on using md5()

        if you just run a md5() on you password then you risk that a hacker just bruteforces his way to the passwords with a simple loop.

        I'm most of my systems I have a secret serverside password which I then hash with the user password. Like this:

        $user_pwd = "something";
        $server_pwd = "something else";

        $hashed_md5_pwd = md5($user_pwd.$server_pwd);

        this way the hacker would have to know the serverside password before he could start bruteforcing the user password. Needless to say you should keep the serverside password well secured out of the webdirectory.
        Furthermore I use substr() to only use a piece (15 chars in the example below) of the $hashed_md5_pwd because when displayed in the URL a 32 character string can take up alot of space - so like this:

        $new_hashed_md5_pwd = substr($hashed_md5_pwd,10,15);

        I'm not a security-geek or anything but I'm aware of the problems and I think this solutions will deter most newbies from hacking this way.

          Thanks for your reply

          What does "$user_pwd.$server_pwd" do in the md5 command? Does it just concatenate the two?

          Antun

            Write a Reply...