Jump to content

Additional PW Security


RaythMistwalker

Recommended Posts

Ok i wish to upgrade my users password security.

 

say atm the passwords are stored as somekey.encodedpassword.somekey

 

as you can see password is surrounded by .

 

What i want to do is when a user registers, assign a random 8 digit number before and after the password (this way it is different for each user) but obviously my login would bang back some of the users.

 

for example say my password was test the database would look like:

 

83758478.test.73263876

 

How would i get the php to only take the part between the 2 .'s (note this is not the real symbol im using i just have as example)

 

reasoning: hackers who manage to get my original key will be stumped as the number at both beginning and end are generated randomly and seperately.

Link to comment
Share on other sites

What? Why are you trying to rebuild the wheel. Use a hash, such as MD5() or SHA() with a salt. I'm assuming the user is not aware of these added values and is just entering their normal password and you are planning to validate that against the database value by stripping off the added values, right? How is that going to thwart a hacker if they were to get into your database? Anyone intelligent enough to get into your database would be able to plainly see the pattern and figure out your 1337 encoding.

Link to comment
Share on other sites

Woith what you have a simple list/explode would work. But any one that manages to view a few of the passwords would see the pattern with the dots and know whats up. Better would be:

$pass='12345678dD4%%dert98765432';
preg_match('#[0-9]{8}(.*)[0-9]{8}#is', $pass, $result);
echo $result['1'];

Link to comment
Share on other sites

You could use this...

 

$password = ($explode = explode('.',$password_before)) ? $explode['1'] : FALSE;

 

Where all you have to do is change $password to whatever your password variable is and $password_before to whatever your password variable was.

 

You could also try removing the periods as long as you know the exact length of the random string that you put at the beginning of your password the you could user something like this. I use a string length of 8 below because that is what you used in your post

 

$password = substr($password_before,8,(strlen($password_before)-16));

Link to comment
Share on other sites

Crabfingers second example is best as you could use something like this:

34$%fFe0dD4%%dert!0(4%grF

and their is no pattern to be seen at all.

 

Except for the fact that people do not use gibberish for their passwords. Even if you don't use a delimiter such as a period, the passwords would be plainly visible to anyone looking at the raw data. The values in the database would like look like the following:

 

(d&%^KS*spasswordNs*#]?1%
*'@jS7W6Go Raiders&dT$2(@|
:+!.D7k#pizza\_=2J3d

 

It wouldn't take a rocket scientist to decypher the real passwords. Hashes have been used to mask passwords in databases for years and are irreversible - i.e. you cannot decypher the real password from the hashed value. Please do not respond that MD5 can be cracked - it can't. But, if users use stupid simple passwords and you do not utilize a SALT then a lookup table can be used, but that is not the same as 'cracking' MD5.

 

Anyway, here is an example of a typical usage

 

//User entered password
$password = "Some value by the user";

//First create a salt: append a value specific to the user or manipulate the value in some consistent manner
$passWithSalt = strrev($password) . $username;
//Second hash the value
$hashedValue = md5($passWithSalt);

 

So, when a user creates a password you would follow that process and save it to the database. Then when a user logs in, you follow the same process to get the hashed value and compare that to the value in the database. I will guarntee that neither you or any hacker can ever determine the user's password from what is in the database. At least not without a lot of time and processing power to create a custom lookup table of values using your salt.

Link to comment
Share on other sites

If you look at his original post the op says that he encrypts the password and then puts random shit on either side so it wont be plaintext

 

Really? When I read his original post there is conflicting information.

 

say atm the passwords are stored as somekey.encodedpassword.somekey

 

for example say my password was test the database would look like:

 

83758478.test.73263876

 

Besides, if the password is encoded, what is the point of putting additional random data on the ends to prevent hackers from getting the info.

Link to comment
Share on other sites

Besides, if the password is encoded, what is the point of putting additional random data on the ends to prevent hackers from getting the info.

 

If you look at his original post the op says that he encrypts the password and then puts random shit on either side so it wont be plaintext

 

He can't encode it because if he would he wouldn't be able to authenticate anyone because he can't generate the same prefix and annex twice!! Apparently only I and mjdamato are aware of this.

 

Only mjdamato's option is tried-and-true.

Link to comment
Share on other sites

Besides, if the password is encoded, what is the point of putting additional random data on the ends to prevent hackers from getting the info.

 

If you look at his original post the op says that he encrypts the password and then puts random shit on either side so it wont be plaintext

 

He can't encode it because if he would he wouldn't be able to authenticate anyone because he can't generate the same prefix and annex twice!! Apparently only I and mjdamato are aware of this.

 

Only mjdamato's option is tried-and-true.

He doesn't need to generate the same thing twice, he encodes the password and then adds stuff to each end, not before. Then all he needs to do is remove the random shit (which he can do with substr) from each end and then decode it. The only security this adds is that if some l337 hacker decideds to try and crack the password he will be fucked up by the random shit on either end.

Link to comment
Share on other sites

gee wow goto work for a few hours and wow.

 

Yes my passwords are hashed as well as encoded and i think crabfinger knows what i want to do. whats the substr thing you mentioned?

 

edit: sorry i just read crabfingers post with substr.

 

Yeh i can take out the periods since i know it'l be a certain number of digits before and after so how would i remove the 8 after as well as before?

Link to comment
Share on other sites

The only security this adds is that if some l337 hacker decideds to try and crack the password he will be fucked up by the random shit on either end.

 

Yeah

 

mqsdjfmqhstd.my beautiful password not visible at all here.qmlhgqhytmqr

 

very hard indeed..

your forgetting the part i do actually encode it i just didnt want to show how i encode it because its done 3 times before it is saved.

 

example could be md5(md5(sha1($password)))

Link to comment
Share on other sites

Whats the point in md5 hashing it twice?

 


$pass = substr($pass, 0, ; // remove first eight chars.
$pass = substr($pass, 0, -; // remove last eight chars.

 

What's the point of running substr() twice?

$pass = substr($pass, 8, -; //Remove first AND last eight characters

 

Link to comment
Share on other sites

Whats the point in md5 hashing it twice?

 


$pass = substr($pass, 0, ; // remove first eight chars.
$pass = substr($pass, 0, -; // remove last eight chars.

 

That's the exact same thing as this

 

$password = substr($password_before,8,(strlen($password_before)-16));

 

which i posted earlier

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.