Encryption...

[Aureole]

What's the best thing to do with regards to making something secure.

 

At the moment say for example on my registration page once a user inputs a Pasword for instance I use md5() then I use base_64_encode() before sending the data to the Database. Then of course say on the Login page for example I take the whatever the user inputs and md5() it then query the Database for the Password and use base_64_decode() then compare the hashes.

 

I know that base 64 isn't that secure and I know that these days there are huge Databases of md5 hashes so I'm just not sure this is going to be secure...

 

Any insight, ideas? Thanks!

[PhaZZed]

In my opinion, using the md5 checksum encryption is pretty secure - I have not had any problems with hacking attempts and that. I guess it all depends on what you are wanting to do, and how important the information is..

[MadTechie]

MD5 is secure but due to raindow tables its better to user MD5 with salt

 

ie

$pass = "hello";
$salt = "blarblar";
MD5(MD5($pass).$salt);

 

now the salt can be stored with the password (extra field needed) or you can have a static site salt code (one that every user will use)

 

personally i generate a random 8 char code for each user and store that in the database

 

you could use sha1 instead it is a little more secure

[Aureole]

Well it's just a Password and a Validation code that I generate then send to the user's Email Address so they can validate their account. I md5 then base 64 encode the former the latter is just md5-ed.

 

I'm wondering how companies such as IPS and Jelsoft approach this when making their Forum software, anyone have any ideas? I know IPB use some kind of "stronghold Cookie" not sure about VB.

 

I'm just thinking they are successful companies with successful software so the way they do it must be safe, anyone know how? Thanks again.

 

 

[Aureole]

Yes I've thought about using sha1 but md5 seems to be used in all web-based software I have came across to date. I've also read about salt keys, I believe IPB uses them. I'll go read about them. *Sorry if this ends up being a double post if no-one replied before this/after the other.*

[MadTechie]

IPB use MD5 with salt.. so do VB (maybe sha1 with salt)

 

SHA1 is securer but MD5 is more of a standard (a little faster as well)

[Aureole]

Ok so it must be pretty damn secure, maybe I could go an extra length and use Sessions AND a Cookie? In fact I think I had a clever idea...have a Cookie made when the user first registers that just contains a really long string...letters and numbers then everytime they login check to see if that cookie exists basically this would mean if you didn't actually register you wouldn't be able to login. Of course if a client deletes the Cookie they are kind of screwed though... =\

 

I guess if I just md5() the Username AND Password then that should be ok, right?

[MadTechie]

and they can't use another browser or computer or run a disk clean up.. may want to rethink that lol

 

why MD5 the Username ?

 

remember MD5 is ONEWAY encryption.. also as a note if the salt it know then someone can write a brute force cracker..

 

and the login page isn't going to be the problem.. its more common for someone to get a membership then look for holes after the login page.

[Aureole]

You're right that was a bad idea... 

 

So if I just use MD5 and Salt and make sure no-one could possibly find out the salt key? Maybe I could change the salt key on each login then set a cookie? Or...I could just shut up and do it normally. 

 

I just want it to be secure 'cause hopefully eventually it's going to be a big project...

[MadTechie]

don't change it unless they change the password then generate a new one..

 

save some areas of security for the login page, ie

detecting someone trying every possible password (aka brute force) thus after 5 attemps the account is surspended for 30 minutes, if the same ip attemps to login more that 10 time (no matter what the account name) that IP is banned for 30 minutes etc

 

theirs some nice ones i use.. get your thinking cap on

 

oh the reason i use 30 minutes is if you done 100days you may get someone could ban all your members..

 

oh yeah have a display and a login name never show the login name (kinda like a 2nd password), also you need a forgot password, forgot username page

 

 

[Aureole]

Yes I'm still pondering on how I'm going to code the lost password/username pages but I will do it and good idea with the brute force counter-measures I'll try implement some similar and I'll probably do the Login/Display name too.

[MadTechie]

lost password emails a reset account password link

lost name emails the login name

 

but i'll let you think about them a little bit :-X

[jitesh]

I think you know basics of oops

 

<?php
class Crypter{

  var $key;


  function Crypter($clave){
     $this->key = $clave;
  }

    function setKey($clave){
     $this->key = $clave;
  }
  
  function keyED($txt) { 
     $encrypt_key = md5($this->key); 
     $ctr=0; 
     $tmp = ""; 
     for ($i=0;$i<strlen($txt);$i++) { 
        if ($ctr==strlen($encrypt_key)) $ctr=0; 
        $tmp.= substr($txt,$i,1) ^ substr($encrypt_key,$ctr,1); 
        $ctr++; 
     } 
     return $tmp; 
  } 
  
  function encrypt($txt){ 
     srand((double)microtime()*1000000); 
     $encrypt_key = md5(rand(0,32000)); 
     $ctr=0; 
     $tmp = ""; 
     for ($i=0;$i<strlen($txt);$i++){ 
        if ($ctr==strlen($encrypt_key)) $ctr=0; 
        $tmp.= substr($encrypt_key,$ctr,1) . 
            (substr($txt,$i,1) ^ substr($encrypt_key,$ctr,1)); 
        $ctr++; 
     } 
     return base64_encode($this->keyED($tmp)); 
  } 

  function decrypt($txt) { 
     $txt = $this->keyED(base64_decode($txt)); 
     $tmp = ""; 
     for ($i=0;$i<strlen($txt);$i++){ 
        $md5 = substr($txt,$i,1); 
        $i++; 
        $tmp.= (substr($txt,$i,1) ^ $md5); 
     } 
     return $tmp; 
  } 

}
?>

[Aureole]

Nice code snippet there, classes...there's something I haven't delved into yet. I really don't know what it does but I'll look into it.

[ToonMariner]

those are not partyicularly secure encryptions - mcrypt functions would be more suitable.

[Aureole]

I think for now I'll just stick to md5 and salt I don't want to implement code if I don't understand it.

[jitesh]

<?php
include('encryption.php');
$Crypter = new Crypter("TEST");
$str = "Password";
echo $Crypter->encrypt($str);
echo "<br>";
echo $Crypter->decrypt($Crypter->encrypt($str));
?>

[MadTechie]

cheers jitesh, thats no help at all! :-\

[Aureole]

Well thanks for posting code snippets and stuff but I don't understand them and until I do I'm not going to implement them.

 

Basically although this is a big project that I'm working on I'm making sure I only use code that I understand so of course at first it's going to be simple but not only is this a project it's also how I plan to learn PHP. 

 

Oh and jitesh you should use

<br />

not

<br>

lol...sorry I had to.