Change Password script

[NathanLedet]

I'm working on a little script within a bigger application to change a users password.

 

When they're logged in and they click "Change Password", they're brought to a page where they enter their current password as well as two "new password" fields (one for verification).

 

for my first step, I need the "current password" to match up with an md5 password that's stored in a MySQL database.  Can I get some tips on doing this? Thanks!

[.josh]

select the password from the db, then compare it to md5($_POST['currentpassword'])

[NathanLedet]

I did that....and then it just snowballed into an almost completed script...it just kinda, clicked

 

I think it's probably not secure.  Any suggestions for me?

 

if (isset($_POST['submit'])){
$currentpw = md5($_POST['currentpw']);
$query = "SELECT password FROM users WHERE username = '" . $_SESSION['MM_Username'] . "'";
$result = mysql_query($query);
while($row = mysql_fetch_array($result, MYSQL_ASSOC)){
	$dbpassword = $row['password'];
}
if ($currentpw == $dbpassword){
	$newpassword = $_POST['newpassword'];
	$confirmnew = $_POST['confirmnew'];
	if ($newpassword == $confirmnew){
		$newpassword = md5($newpassword);
		$query2 = "UPDATE users SET password = '$newpassword' WHERE username = '" . $_SESSION['MM_Username'] . "'";
		$result2 = mysql_query($query2);
		$message .= "Your password has been updated!";
	}else{
		$message .= "Your new password does not match<br />";
		$message .= "Please try again.";
	}
}else{
		$message .= "The password you entered does not match the current password<br />";
		$message .= "Please try again.";
}
}

[discomatt]

Storing with md5 only is considered insecure these days, with pre-computed hash tables in the wild. I'd highly recommend salting your hashes...

 

Here's a basic article

http://phpsec.org/articles/2005/password-hashing.html

[discomatt]

Here's a quick demo function of storing/extracting the salt ( PHP5 )

<?php

# Some constants you can change to give a bit of entropy

define( 'HASH_ALGO', 'sha384' ); # Algorithm to use when hashing ( using hash() )
define( 'HASH_SPLIT', 39 ); # Where to split the hash for mixed salt insertion
define( 'SALT_LENGTH', 32 ); # Length ( in characters ) of random salt
define( 'SALT_SPLIT', 15 ); # Where to split the salt for mixed salt insertion

# The actual function

function saltHash ( $pw, $compare = FALSE ) {

if ( !$compare ) {
	$salt = substr(  hash( HASH_ALGO, uniqid(mt_rand(), TRUE) ), 0, SALT_LENGTH  );
	$hash = hash( HASH_ALGO, $pw.$salt );
	return	substr( $salt, 0, SALT_SPLIT ) .
			substr( $hash, 0, HASH_SPLIT ) .
			substr( $salt, SALT_SPLIT ) .
			substr( $hash, HASH_SPLIT );
}

$hash_length = strlen( $compare ) - SALT_LENGTH;
$salt = substr( $compare, 0, SALT_SPLIT ) . 
        substr( $compare, SALT_SPLIT + HASH_SPLIT, SALT_LENGTH - SALT_SPLIT );
$hash = hash( HASH_ALGO, $pw.$salt );

$pwHash = substr( $salt, 0, SALT_SPLIT ) .
          substr( $hash, 0, HASH_SPLIT ) .
          substr( $salt, SALT_SPLIT ) .
          substr( $hash, HASH_SPLIT );

if ( $pwHash = $compare )
	return TRUE;
return FALSE;

}

# Example of the function in use

$password = 'biscuits'; # Our password

$hashed = saltHash( $password ); # Generate a hash with a random salt

echo $hashed . '<br />'; # Output our hash, jsut to see what's being done

if ( saltHash('biscuits', $hashed) ) # Check to make sure 'biscuits' generates the same hash
echo 'Passwords match!';
else
echo 'Passwords don\'t match';

?>

[revraz]

Besides that additional info, the compare is no different than the compare you do when they initially log in.