Jump to content

Recommended Posts

Hi,

 

Im creating a simple site in PHP, for the most part its going well, however I struggling with an error that I have encountered.

 

Im generating a random salt upon registering a user. This works fine, However when logging in with this user I am struggling and receive an error. Can somebody please explain where I am going wrong?

 

I have attatched some images to this post which includes coding and the error message.

 

NOTE: signup works fine, it is just the log-in which is broken. I have however included screenshots of both pages for better understanding of how the site works. 

 

Signup:

 

http://picpaste.com/pics/SignUp-gZnFffux.1416827271.PNG

 

Log-in: 

 

http://picpaste.com/pics/log-in-gB895EyW.1416827394.PNG

 

Error Message:

 

http://picpaste.com/pics/error-pic-JwV9iLp8.1416827510.PNG

 

Kind Regards, Shaun

Link to comment
https://forums.phpfreaks.com/topic/292675-log-in-using-salted-password-error/
Share on other sites

There is nothing in that code that even uses the salt. You need to include the salt when generating the hash. Plus, the hashing algorithm is flawed. It first generates an MD5 hash and then does a SHA hash. Lastly, the login code never even uses the password. It appears to only be looking for a match on the username/email.

Never ever invent your own security algorithm. You cannot win, especially when you don't happen to be a genius cryptographer.

 

And indeed this is horribly insecure. I'm not sure why you think that chaining two extremely weak algorithms somehow magically creates a strong algorithm. It doesn't. Both MD5 and SHA-256 allow an attacker to try billions(!) of passwords on an average PC. At that rate, a few passwords more or less simply don't matter. The attacker can always buy or rent better hardware.

 

And who knows if this specific kind of chaining creates certain cryptographic weaknesses? Cryptography is an exact science, you can't just randomly throw together algorithms.

 

The salt generator is also very broken. This weird procedure only produces around 58 “random” bits (a common recommendation is 128 bits). Even worse, the bits aren't really random, because the str_shuffle() function was never designed for security purposes. It's based on trivial data like the current server time and the process ID which are easily guessable.

 

Long story short, always use established solutions. The state-of-the-art for password hashing is the bcrypt algorithm. If you have PHP 5.5, you can use it through the new Password Hashing API. If you have at least PHP 5.3.7, you can use the password_compat library which emulates the API. Older PHP versions are defective.

 

 

 

use this for storing user data http://www.openwall.com/phpass/

 

No. This library is hopelessly outdated and seems to have been abandoned by the author. It also comes with a lot of compatibility baggage which can lead to security issues (for example, there's a fallback to an MD5-based algorithm if bcrypt isn't found).

 

See above for an up-to-date solution.

  • Like 2
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.