Aureole Posted August 14, 2007 Share Posted August 14, 2007 What's the best thing to do with regards to making something secure. At the moment say for example on my registration page once a user inputs a Pasword for instance I use md5() then I use base_64_encode() before sending the data to the Database. Then of course say on the Login page for example I take the whatever the user inputs and md5() it then query the Database for the Password and use base_64_decode() then compare the hashes. I know that base 64 isn't that secure and I know that these days there are huge Databases of md5 hashes so I'm just not sure this is going to be secure... Any insight, ideas? Thanks! Quote Link to comment https://forums.phpfreaks.com/topic/64821-encryption/ Share on other sites More sharing options...
PhaZZed Posted August 14, 2007 Share Posted August 14, 2007 In my opinion, using the md5 checksum encryption is pretty secure - I have not had any problems with hacking attempts and that. I guess it all depends on what you are wanting to do, and how important the information is.. Quote Link to comment https://forums.phpfreaks.com/topic/64821-encryption/#findComment-323362 Share on other sites More sharing options...
MadTechie Posted August 14, 2007 Share Posted August 14, 2007 MD5 is secure but due to raindow tables its better to user MD5 with salt ie $pass = "hello"; $salt = "blarblar"; MD5(MD5($pass).$salt); now the salt can be stored with the password (extra field needed) or you can have a static site salt code (one that every user will use) personally i generate a random 8 char code for each user and store that in the database you could use sha1 instead it is a little more secure Quote Link to comment https://forums.phpfreaks.com/topic/64821-encryption/#findComment-323371 Share on other sites More sharing options...
Aureole Posted August 14, 2007 Author Share Posted August 14, 2007 Well it's just a Password and a Validation code that I generate then send to the user's Email Address so they can validate their account. I md5 then base 64 encode the former the latter is just md5-ed. I'm wondering how companies such as IPS and Jelsoft approach this when making their Forum software, anyone have any ideas? I know IPB use some kind of "stronghold Cookie" not sure about VB. I'm just thinking they are successful companies with successful software so the way they do it must be safe, anyone know how? Thanks again. Quote Link to comment https://forums.phpfreaks.com/topic/64821-encryption/#findComment-323373 Share on other sites More sharing options...
Aureole Posted August 14, 2007 Author Share Posted August 14, 2007 Yes I've thought about using sha1 but md5 seems to be used in all web-based software I have came across to date. I've also read about salt keys, I believe IPB uses them. I'll go read about them. *Sorry if this ends up being a double post if no-one replied before this/after the other.* Quote Link to comment https://forums.phpfreaks.com/topic/64821-encryption/#findComment-323375 Share on other sites More sharing options...
MadTechie Posted August 14, 2007 Share Posted August 14, 2007 IPB use MD5 with salt.. so do VB (maybe sha1 with salt) SHA1 is securer but MD5 is more of a standard (a little faster as well) Quote Link to comment https://forums.phpfreaks.com/topic/64821-encryption/#findComment-323378 Share on other sites More sharing options...
Aureole Posted August 14, 2007 Author Share Posted August 14, 2007 Ok so it must be pretty damn secure, maybe I could go an extra length and use Sessions AND a Cookie? In fact I think I had a clever idea...have a Cookie made when the user first registers that just contains a really long string...letters and numbers then everytime they login check to see if that cookie exists basically this would mean if you didn't actually register you wouldn't be able to login. Of course if a client deletes the Cookie they are kind of screwed though... =\ I guess if I just md5() the Username AND Password then that should be ok, right? Quote Link to comment https://forums.phpfreaks.com/topic/64821-encryption/#findComment-323384 Share on other sites More sharing options...
MadTechie Posted August 14, 2007 Share Posted August 14, 2007 and they can't use another browser or computer or run a disk clean up.. may want to rethink that lol why MD5 the Username ? remember MD5 is ONEWAY encryption.. also as a note if the salt it know then someone can write a brute force cracker.. and the login page isn't going to be the problem.. its more common for someone to get a membership then look for holes after the login page. Quote Link to comment https://forums.phpfreaks.com/topic/64821-encryption/#findComment-323419 Share on other sites More sharing options...
Aureole Posted August 14, 2007 Author Share Posted August 14, 2007 You're right that was a bad idea... So if I just use MD5 and Salt and make sure no-one could possibly find out the salt key? Maybe I could change the salt key on each login then set a cookie? Or...I could just shut up and do it normally. I just want it to be secure 'cause hopefully eventually it's going to be a big project... Quote Link to comment https://forums.phpfreaks.com/topic/64821-encryption/#findComment-323423 Share on other sites More sharing options...
MadTechie Posted August 14, 2007 Share Posted August 14, 2007 don't change it unless they change the password then generate a new one.. save some areas of security for the login page, ie detecting someone trying every possible password (aka brute force) thus after 5 attemps the account is surspended for 30 minutes, if the same ip attemps to login more that 10 time (no matter what the account name) that IP is banned for 30 minutes etc theirs some nice ones i use.. get your thinking cap on oh the reason i use 30 minutes is if you done 100days you may get someone could ban all your members.. oh yeah have a display and a login name never show the login name (kinda like a 2nd password), also you need a forgot password, forgot username page Quote Link to comment https://forums.phpfreaks.com/topic/64821-encryption/#findComment-323432 Share on other sites More sharing options...
Aureole Posted August 14, 2007 Author Share Posted August 14, 2007 Yes I'm still pondering on how I'm going to code the lost password/username pages but I will do it and good idea with the brute force counter-measures I'll try implement some similar and I'll probably do the Login/Display name too. Quote Link to comment https://forums.phpfreaks.com/topic/64821-encryption/#findComment-323438 Share on other sites More sharing options...
MadTechie Posted August 14, 2007 Share Posted August 14, 2007 lost password emails a reset account password link lost name emails the login name but i'll let you think about them a little bit :-X Quote Link to comment https://forums.phpfreaks.com/topic/64821-encryption/#findComment-323441 Share on other sites More sharing options...
jitesh Posted August 14, 2007 Share Posted August 14, 2007 I think you know basics of oops <?php class Crypter{ var $key; function Crypter($clave){ $this->key = $clave; } function setKey($clave){ $this->key = $clave; } function keyED($txt) { $encrypt_key = md5($this->key); $ctr=0; $tmp = ""; for ($i=0;$i<strlen($txt);$i++) { if ($ctr==strlen($encrypt_key)) $ctr=0; $tmp.= substr($txt,$i,1) ^ substr($encrypt_key,$ctr,1); $ctr++; } return $tmp; } function encrypt($txt){ srand((double)microtime()*1000000); $encrypt_key = md5(rand(0,32000)); $ctr=0; $tmp = ""; for ($i=0;$i<strlen($txt);$i++){ if ($ctr==strlen($encrypt_key)) $ctr=0; $tmp.= substr($encrypt_key,$ctr,1) . (substr($txt,$i,1) ^ substr($encrypt_key,$ctr,1)); $ctr++; } return base64_encode($this->keyED($tmp)); } function decrypt($txt) { $txt = $this->keyED(base64_decode($txt)); $tmp = ""; for ($i=0;$i<strlen($txt);$i++){ $md5 = substr($txt,$i,1); $i++; $tmp.= (substr($txt,$i,1) ^ $md5); } return $tmp; } } ?> Quote Link to comment https://forums.phpfreaks.com/topic/64821-encryption/#findComment-323442 Share on other sites More sharing options...
Aureole Posted August 14, 2007 Author Share Posted August 14, 2007 Nice code snippet there, classes...there's something I haven't delved into yet. I really don't know what it does but I'll look into it. Quote Link to comment https://forums.phpfreaks.com/topic/64821-encryption/#findComment-323443 Share on other sites More sharing options...
ToonMariner Posted August 14, 2007 Share Posted August 14, 2007 those are not partyicularly secure encryptions - mcrypt functions would be more suitable. Quote Link to comment https://forums.phpfreaks.com/topic/64821-encryption/#findComment-323448 Share on other sites More sharing options...
Aureole Posted August 14, 2007 Author Share Posted August 14, 2007 I think for now I'll just stick to md5 and salt I don't want to implement code if I don't understand it. Quote Link to comment https://forums.phpfreaks.com/topic/64821-encryption/#findComment-323452 Share on other sites More sharing options...
jitesh Posted August 14, 2007 Share Posted August 14, 2007 <?php include('encryption.php'); $Crypter = new Crypter("TEST"); $str = "Password"; echo $Crypter->encrypt($str); echo "<br>"; echo $Crypter->decrypt($Crypter->encrypt($str)); ?> Quote Link to comment https://forums.phpfreaks.com/topic/64821-encryption/#findComment-323454 Share on other sites More sharing options...
MadTechie Posted August 14, 2007 Share Posted August 14, 2007 cheers jitesh, thats no help at all! :-\ Quote Link to comment https://forums.phpfreaks.com/topic/64821-encryption/#findComment-323461 Share on other sites More sharing options...
Aureole Posted August 14, 2007 Author Share Posted August 14, 2007 Well thanks for posting code snippets and stuff but I don't understand them and until I do I'm not going to implement them. Basically although this is a big project that I'm working on I'm making sure I only use code that I understand so of course at first it's going to be simple but not only is this a project it's also how I plan to learn PHP. Oh and jitesh you should use <br /> not <br> lol...sorry I had to. Quote Link to comment https://forums.phpfreaks.com/topic/64821-encryption/#findComment-323467 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.