Jump to content

Recommended Posts

Hi,

 

I'm new to the forum so I hope I'm in the right place.

I'm trying to develop a secure login & member system for a club website but am having difficulty in getting my head around salts and nonces for my registration & logon.

 

Here's what I do to reg:

$salt = "aB1cD2eF3G";
$salt .= $login;
$password = $_POST['password'];
$pass = md5($salt.$password);
//Create INSERT query
$qry = "INSERT INTO members(firstname, lastname, login, passwd) VALUES('$fname','$lname','$login','$pass')";

 

I know the salt is static & want to have it random; I think that's the idea of a nonce - but would I have to create a separate table for these nonces?

 

anyway; on my logon page I have this

 

$salt = "aB1cD2eF3G";
$salt .= $login;
$pass = md5 ( $salt . $password );
//Create query
$qry = "SELECT * FROM members WHERE login='$login' AND passwd='$pass'";
$result = mysql_query ( $qry );

//Check whether the query was successful or not
if ($result) {
if (mysql_num_rows ( $result ) == 1) {
	if (condition) {

	}
	//Login Successful
	session_regenerate_id ();

 

which works but i'm concerned with the problem above.

 

Finally, I just ahve this bit for nonce & timestamp:

// Security Checks
if (($timeStamp != $_SESSION ['TIME'])) {
$errmsg_arr [] = 'timeStamp amended: Security Hijack';
$errflag = true;
}

if (($nonce != $_SESSION ['RAND'])) {
$errmsg_arr [] = 'nonce missing: Security Hijack';
$errflag = true;
}

 

 

I get the RAND & TIME from hidden field.

 

I guess I'm just looking for advice.

 

Thanks,

 

SB

Link to comment
https://forums.phpfreaks.com/topic/196000-php-nonce-advice/
Share on other sites

Random salts are pointless, since if your security is breached to the point where your passwords are accessible then so will the salts table/field which just makes it redundant. Stick with the single salt

 

Really.. you could use the same logic for storing as plain text passwords!

So when your website exposes all the passwords on a single sweep mine will require a lot more effort, I wonder who's users will feel more secure ?

 

Don't get me me wrong I do get your logic but I disagree that its pointless...

Link to comment
https://forums.phpfreaks.com/topic/196000-php-nonce-advice/#findComment-1029576
Share on other sites

I'm not sure if you understand what it is I was saying. I agree that having a salt is a good idea, but a random salt is just as much use as a static one if you're storing them together. If you're going to brute them you have the salt and the hash, so it's just as breakable

Link to comment
https://forums.phpfreaks.com/topic/196000-php-nonce-advice/#findComment-1029608
Share on other sites

I'm not sure if you understand what it is I was saying. I agree that having a salt is a good idea, but a random salt is just as much use as a static one if you're storing them together. If you're going to brute them you have the salt and the hash, so it's just as breakable

In which case, isn't it better to have one static salt defined as a variable in a script, along with a randomly generated salt in the database? If you do this, then if a hacker gets into the database he cannot decrypt the password and if he gets into the files then he cannot decrypt it as he is missing one salt in each case?

 

Just a thought though, never actually tried it.

Link to comment
https://forums.phpfreaks.com/topic/196000-php-nonce-advice/#findComment-1029611
Share on other sites

The first is correct yes, but if you have access to the files, you can get the database connection information and then get the salts for that (or even just use the sites built in functions to run the hack). This makes the database salt redundant again

True. I guess a static salt is more suitable then.

Link to comment
https://forums.phpfreaks.com/topic/196000-php-nonce-advice/#findComment-1029613
Share on other sites

I'm not sure if you understand what it is I was saying. I agree that having a salt is a good idea, but a random salt is just as much use as a static one if you're storing them together. If you're going to brute them you have the salt and the hash, so it's just as breakable

 

In part your right but overall you are wrong,

When it comes to brute force if the cracker has all parts to rebuilt the password then having random salts won't help (too much) however, brute force is the longest attack method, rainbow attacks are quicker as they are pre-calculated hashes,

so if you don't have a different salt for each user then a rainbow table can be built using the static salt and then that could be used on ALL users passwords.. but having a random salt it renders rainbow tables ineffective, as your need to create a new rainbow table for each user this proves ineffective thus your only real option is to use a brute force which is slower!

 

So to sum up

Clear text = 0 crack time

MD5 (no salt) =  rainbow table attack

MD5 (with static salt) =  Build custom rainbow table using static salt + rainbow table attack

MD5 (with dynamic salt) =  Brute force

 

and considering brute force takes the longest of all of them it would suggest that

Link to comment
https://forums.phpfreaks.com/topic/196000-php-nonce-advice/#findComment-1029632
Share on other sites

okay then; I understand then it's a hashed password with a dynamic salt.

So from my code above what's th best way to implement this?

 

So far I think I should....

when a user tries to log on the values submitted are username, password & nonce.

I cocatenate the nonce to the password & hash this value & post these values.

When checking if the passwords match server-side do I just get the password from the db via the select & appended & hash it to the nonce that was passed as hidden???

 

Thanks,

 

SB

Link to comment
https://forums.phpfreaks.com/topic/196000-php-nonce-advice/#findComment-1029637
Share on other sites

I would have a static salt for the site (stored in a PHP file) and in the database have a random salt,  as mattal999 said

 

In which case, isn't it better to have one static salt defined as a variable in a script, along with a randomly generated salt in the database? If you do this, then if a hacker gets into the database he cannot decrypt the password and if he gets into the files then he cannot decrypt it as he is missing one salt in each case?

 

This make the cracking harder as they need to get both salts and the hash, (so they will need more than just DB access)

how you concatenate them is up to you,

 

you could

prefix the site salt and append the users salt,

you could

append or prefix them both,

you could

prefix the first half of both of them and append the second half of both of them..

you could

MD5 the one of both of the salts and append/prefix it

list goes on!

 

of course whatever method used need to be repeated to match the hash,

 

So you could do all this in SQL ie[untested]

$password = mysql_real_escape_string($_POST['pass']);
mysql_quey("SELECT UserID FROM Users where MD5(CONCAT(`dbSalt`,'$password', '$siteSalt')) = `dbPassword`");

Link to comment
https://forums.phpfreaks.com/topic/196000-php-nonce-advice/#findComment-1029655
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.