benanamen Posted October 22, 2016 Share Posted October 22, 2016 Does it matter which way? SELECT username, password FROM users WHERE username=:username (Now compare password if valid username) OR SELECT username, password FROM users WHERE username=:username AND password = :password Quote Link to comment https://forums.phpfreaks.com/topic/302380-usernamepassword-check-does-it-matter-which-way/ Share on other sites More sharing options...
Solution Jacques1 Posted October 22, 2016 Solution Share Posted October 22, 2016 How is the second query even possible? Are you storing your passwords as plaintext? Quote Link to comment https://forums.phpfreaks.com/topic/302380-usernamepassword-check-does-it-matter-which-way/#findComment-1538484 Share on other sites More sharing options...
benanamen Posted October 22, 2016 Author Share Posted October 22, 2016 (edited) DERP! Your right, second way won't even work. Thanks. (And no, no plaintext passwords. I know better) Edited October 22, 2016 by benanamen Quote Link to comment https://forums.phpfreaks.com/topic/302380-usernamepassword-check-does-it-matter-which-way/#findComment-1538485 Share on other sites More sharing options...
requinix Posted October 22, 2016 Share Posted October 22, 2016 By the way, in case you were considering it: Don't indicate whether the username does not exist vs. it does and the password is wrong. It reveals information an attacker could use. Use the same error message for both - ideally a single check in code like if (no matching row || password hash does not match) { Quote Link to comment https://forums.phpfreaks.com/topic/302380-usernamepassword-check-does-it-matter-which-way/#findComment-1538507 Share on other sites More sharing options...
Jacques1 Posted October 22, 2016 Share Posted October 22, 2016 The slow hashing still allows a user to distinguish between the two cases: If the username is wrong, the application responds immediately, otherwise there will be a noticable delay due to the password check (e. g. one second). This can be slightly improved by hashing a dummy password when the username is wrong, but there will still be subtle differences (timing, unique errors of particular execution paths etc.). Personally, I just use public usernames instead of trying to hide the accounts. Quote Link to comment https://forums.phpfreaks.com/topic/302380-usernamepassword-check-does-it-matter-which-way/#findComment-1538508 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.