How secure is this user/membership code?

[your.syndrome]

I've been following a tutorial found at a tutorial on NETTUTS about user/membership areas.

 

I understand how all this works but was wondering if anyone can go into detail about the flaws in the security of it and what you could do to remedy them?

 

P.S I'm new here ! So if this kind of topic has been discussed could someone point me in the right direction.

[dezkit]

it's pretty secure, but the html is terrible

[bluesoul]

Yeah the form could be a little better but the functionality's pretty standard, md5 is far and away the most common form of password encryption on php-powered sites.

[dezkit]

Oh and by the way: http://md5decryption.com/

 

Some hackers already found out a way to decrypt md5, they must be 100% cool and have a totally amazing life.

[bluesoul]

Not quite, from the site:

 

How many MD5 hashes are in our database?

We have encrypted more than 150,000 words, phrases, acronyms, etc since 2006.

 

It's nothing more than a dictionary search.  MD5 is somewhat vulnerable to hash collisions especially with a database of that size.  I believe there's still a distributed computing effort going on to outright crack MD5.

[your.syndrome]

First, thanks for your replies. Hackers 'ey?

 

I'm starting to build a community site with user login and unique profiles for each user. If I use this code to base my authentication on am I going to be making a mistake?

 

Would you suggest using any other script?

[mtoynbee]

Just shows that you still need a strong password containing numbers and symbols to reduce the chance of someone getting your password. You can't rely solely on encryption.

 

 

[bluesoul]

As long as you understand what's going on with the code, I don't see anything obviously bad about it.  There's only so many ways to make a login script.

[tomfmason]

To be honest I think that code is a mess. I am seriously considering writing a good role based user authentication tutorial. I may even add some BDD to make it interesting

[your.syndrome]

As long as you understand what's going on with the code, I don't see anything obviously bad about it.  There's only so many ways to make a login script.

 

Right okay, looks like I'll be going with this then. Thanks for the advice!

 

When I get hacked I know who to come shout at, jokes!