Jump to content

Archived

This topic is now archived and is closed to further replies.

shaggycap

When showing user admin page - Password Question

Recommended Posts

I'm building a user admin section on my CMS, and have a page showing the details of a user that you can edit.

I can't just display the password field as its an MD5 hash, so what would be the best approach here? Obviously I can't decode it so I wondered how you dealt with something like this?

Share this post


Link to post
Share on other sites
Well, don't.

Allow for resetting, not displaying.

Share this post


Link to post
Share on other sites
Make some sort of "leave empty to not change" sort of field. Check if anything is entered into it, and if there is, then change it (you should possibly make a typing error check and a "current password" check).

Share this post


Link to post
Share on other sites
[quote author=steelmanronald06 link=topic=117581.msg480844#msg480844 date=1165538527]
Or just not MD5 your password, which is highly ill advised.
[/quote]

S/he already did ;)

Share this post


Link to post
Share on other sites
Admins have no reason, what so ever, to need to view a users password.

A password is for that user alone, and [b]no one[/b] else.

Share this post


Link to post
Share on other sites
Yeah. I mean we can view our members passwords here at PHPFreaks, but we don't because it is never needed.......


April Fools!  Hmm.....not april! Damn!  Oh well.  The point is, don't do it. Because some people use one password for EVERYTHING

Share this post


Link to post
Share on other sites
[quote author=steelmanronald06 link=topic=117581.msg480844#msg480844 date=1165538527]
Or just not MD5 your password, which is highly ill advised.
[/quote]
I suspect this might be some sort of twisted sarcasm, but if it isn't, would you care to explain why it's a good idea to store passwords in plain text?

Share this post


Link to post
Share on other sites
[quote author=Albright link=topic=117581.msg485135#msg485135 date=1166141029]
[quote author=steelmanronald06 link=topic=117581.msg480844#msg480844 date=1165538527]
Or just not MD5 your password, which is highly ill advised.
[/quote]
I suspect this might be some sort of twisted sarcasm, but if it isn't, would you care to explain why it's a good idea to store passwords in plain text?
[/quote]He said that it was ill advised, meaning he's saying its a bad thing to do.

Share this post


Link to post
Share on other sites
I understand that. What I'm asking is why he thinks MD5ing passwords is a bad thing to do. Sure, SHA1 is better, but I don't think that's what he means, from context...

Share this post


Link to post
Share on other sites
MD5 is the most common, thus it is the most attacked. There are more rainbow tables for MD5 than any other hash.

PHP has a massive selection of hashing algorthyms to choose from, fyi.

Share this post


Link to post
Share on other sites
[quote author=Daniel0 link=topic=117581.msg485297#msg485297 date=1166166677]
Take a look at [url=http://php.net/mcrypt]mcrypt[/url]
[/quote]

Mcrypt has decryptable algorithms, not hashes. For passwords use hashes.

http://nl2.php.net/manual/en/ref.hash.php

Share this post


Link to post
Share on other sites
there is also http://php.net/crypt, but the above is preffered.

Share this post


Link to post
Share on other sites
semi- on-topic, if one decided to drop MD5 from their sites and port to a new type of encryption, am i right in thinking that you'd need to prompt the user for a new password that would be encrypted in the new method? or am I missing an easy way?

Share this post


Link to post
Share on other sites
not necessarily..
[code]<?php

if (sha1($password . $salt) !== $passwordFromDB)
{
    if (md5($password . $salt) !== $passwordFromDB)
    {
        die('password incorrect');
    }
    else
    {
        $passwordFromDB = sha1($password . $salt);
    }
}

echo 'Welcome';

?>[/code]

edit: removed false-false.

Share this post


Link to post
Share on other sites
I think you want to remove those ! from before sha1 or md5, but yeah, that should work; just transparently re-hash the password if the old hash algorithm shows that it is correct.

One thing to keep in mind is that md5() creates a string of 32 characters, and sha1() creates 40 characters. If you've set up the password field in your database to only hold 32 characters, you should modify it first to fit all 40 characters that a sha1() call will give you.

Share this post


Link to post
Share on other sites

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.