hiding password

[thankqwerty]

Hello all,

I'm new to php and mysql and everything ..... I'm trying to set up a registry for my site. So i suppose i'll need to create a new table to save all the user information. My question is how can i hide the user passwords from myself and any administrators in the mysql admin screen for example?

[JasonLewis]

md5() hashes are a good way of securely storing passwords. Google for some simple registration script tutorials.

[fenway]

md5() hashes are a good way of securely storing passwords.

Not at all... single-pass hashing algorithms are easy cracked -- at the very least use a reasonable salt.  Alternatively, use SHA1.

[JasonLewis]

Oh, yeah I should have mentioned something about using a salt. I'm sure most tutorials would salt passwords though.

[revraz]

I don't recall any Tutorials that I've seen use salts.

 

Oh, yeah I should have mentioned something about using a salt. I'm sure most tutorials would salt passwords though.

[dprichard]

Okay for those of us who have no idea what salt is can you give us a link or a bit more info... 

 

[peranha]

Okay for those of us who have no idea what salt is can you give us a link or a bit more info... 

 

 

A salt is something that is added to the password.

 

EX.

 

<?php
$salt = 'asdfpoiu3456'; //salt to add to the password

$password = $_POST['password'];  //Users password

$encpass = md5($salt.$password);  //Salt added to the users password to make dictionary attacks almost useless.
?>

 

Something along those lines is what you would want.

[fenway]

Google "rainbow attacks" and you'll see why this is important... or use a better hashing algorithm.

[dprichard]

So would you recommend sha1 and salt?

[dprichard]

Question, if they are doing a dictionary attack wouldn't your system be adding the salt back onto the password to check it agaisnt the database when the user logs in?  So wouldn't a dictionary attack work the same way? 

[peranha]

you can use MD5 as long as you use a salt.  sha1 will give you a stronger encription.  There are "rainbow tables out for pretty much all hashes".  I use sha512 and a salt my site.  But whatever hash you use, make sure you use a salt with it.

[dprichard]

So, when someone is doing an attack aren't they going to be doing it against your login form?  If so, wouldn't you have to add the salt back in to verify the user and wouldn't that make whatever they put in already have the salt in it?  Sorry, just trying to understand all this as best as I can.

 

Thanks for any info.

[fenway]

Yes, you'd be adding the salt back... but the attacker has no idea what the salt is.

[revraz]

There is nothing to stop brute forcing attempts except for user's using good passwords.

 

His main question was how does he hide the PW so no one can see them in the DB.  Hashing does this task.

 

If you want to get more complex, then you can force your users to use a complex PW system that involves Caps, numbers, etc.

 

Question, if they are doing a dictionary attack wouldn't your system be adding the salt back onto the password to check it agaisnt the database when the user logs in?  So wouldn't a dictionary attack work the same way? 

[fenway]

There is nothing to stop brute forcing attempts except for user's using good passwords.

Without salts, "good" passwords aren't helpful.

[thankqwerty]

thank you all for the replies.

 

So as i understand it is that i generate a random salt for each of the user account (which will also be stored in the user database) then, combine the salt using md5() with the user password to get a random-looking string and store that into the database. And each time when an user want to logon, the php code would retrieve the user's salt from the database and combine it with user password (which the user input) to check with the coded-password in the database, right?