thankqwerty Posted September 10, 2008 Share Posted September 10, 2008 Hello all, I'm new to php and mysql and everything ..... I'm trying to set up a registry for my site. So i suppose i'll need to create a new table to save all the user information. My question is how can i hide the user passwords from myself and any administrators in the mysql admin screen for example? Quote Link to comment Share on other sites More sharing options...
JasonLewis Posted September 10, 2008 Share Posted September 10, 2008 md5() hashes are a good way of securely storing passwords. Google for some simple registration script tutorials. Quote Link to comment Share on other sites More sharing options...
fenway Posted September 10, 2008 Share Posted September 10, 2008 md5() hashes are a good way of securely storing passwords. Not at all... single-pass hashing algorithms are easy cracked -- at the very least use a reasonable salt. Alternatively, use SHA1. Quote Link to comment Share on other sites More sharing options...
JasonLewis Posted September 11, 2008 Share Posted September 11, 2008 Oh, yeah I should have mentioned something about using a salt. I'm sure most tutorials would salt passwords though. Quote Link to comment Share on other sites More sharing options...
revraz Posted September 11, 2008 Share Posted September 11, 2008 I don't recall any Tutorials that I've seen use salts. Oh, yeah I should have mentioned something about using a salt. I'm sure most tutorials would salt passwords though. Quote Link to comment Share on other sites More sharing options...
dprichard Posted September 12, 2008 Share Posted September 12, 2008 Okay for those of us who have no idea what salt is can you give us a link or a bit more info... Quote Link to comment Share on other sites More sharing options...
peranha Posted September 12, 2008 Share Posted September 12, 2008 Okay for those of us who have no idea what salt is can you give us a link or a bit more info... A salt is something that is added to the password. EX. <?php $salt = 'asdfpoiu3456'; //salt to add to the password $password = $_POST['password']; //Users password $encpass = md5($salt.$password); //Salt added to the users password to make dictionary attacks almost useless. ?> Something along those lines is what you would want. Quote Link to comment Share on other sites More sharing options...
fenway Posted September 12, 2008 Share Posted September 12, 2008 Google "rainbow attacks" and you'll see why this is important... or use a better hashing algorithm. Quote Link to comment Share on other sites More sharing options...
dprichard Posted September 12, 2008 Share Posted September 12, 2008 So would you recommend sha1 and salt? Quote Link to comment Share on other sites More sharing options...
dprichard Posted September 12, 2008 Share Posted September 12, 2008 Question, if they are doing a dictionary attack wouldn't your system be adding the salt back onto the password to check it agaisnt the database when the user logs in? So wouldn't a dictionary attack work the same way? Quote Link to comment Share on other sites More sharing options...
peranha Posted September 12, 2008 Share Posted September 12, 2008 you can use MD5 as long as you use a salt. sha1 will give you a stronger encription. There are "rainbow tables out for pretty much all hashes". I use sha512 and a salt my site. But whatever hash you use, make sure you use a salt with it. Quote Link to comment Share on other sites More sharing options...
dprichard Posted September 12, 2008 Share Posted September 12, 2008 So, when someone is doing an attack aren't they going to be doing it against your login form? If so, wouldn't you have to add the salt back in to verify the user and wouldn't that make whatever they put in already have the salt in it? Sorry, just trying to understand all this as best as I can. Thanks for any info. Quote Link to comment Share on other sites More sharing options...
fenway Posted September 12, 2008 Share Posted September 12, 2008 Yes, you'd be adding the salt back... but the attacker has no idea what the salt is. Quote Link to comment Share on other sites More sharing options...
revraz Posted September 12, 2008 Share Posted September 12, 2008 There is nothing to stop brute forcing attempts except for user's using good passwords. His main question was how does he hide the PW so no one can see them in the DB. Hashing does this task. If you want to get more complex, then you can force your users to use a complex PW system that involves Caps, numbers, etc. Question, if they are doing a dictionary attack wouldn't your system be adding the salt back onto the password to check it agaisnt the database when the user logs in? So wouldn't a dictionary attack work the same way? Quote Link to comment Share on other sites More sharing options...
fenway Posted September 12, 2008 Share Posted September 12, 2008 There is nothing to stop brute forcing attempts except for user's using good passwords. Without salts, "good" passwords aren't helpful. Quote Link to comment Share on other sites More sharing options...
thankqwerty Posted September 17, 2008 Author Share Posted September 17, 2008 thank you all for the replies. So as i understand it is that i generate a random salt for each of the user account (which will also be stored in the user database) then, combine the salt using md5() with the user password to get a random-looking string and store that into the database. And each time when an user want to logon, the php code would retrieve the user's salt from the database and combine it with user password (which the user input) to check with the coded-password in the database, right? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.