Jump to content

Recommended Posts

What's the best thing to do with regards to making something secure.

 

At the moment say for example on my registration page once a user inputs a Pasword for instance I use md5() then I use base_64_encode() before sending the data to the Database. Then of course say on the Login page for example I take the whatever the user inputs and md5() it then query the Database for the Password and use base_64_decode() then compare the hashes.

 

I know that base 64 isn't that secure and I know that these days there are huge Databases of md5 hashes so I'm just not sure this is going to be secure...

 

Any insight, ideas? Thanks!

Link to comment
https://forums.phpfreaks.com/topic/64821-encryption/
Share on other sites

MD5 is secure but due to raindow tables its better to user MD5 with salt

 

ie

$pass = "hello";
$salt = "blarblar";
MD5(MD5($pass).$salt);

 

now the salt can be stored with the password (extra field needed) or you can have a static site salt code (one that every user will use)

 

personally i generate a random 8 char code for each user and store that in the database

 

you could use sha1 instead it is a little more secure

Link to comment
https://forums.phpfreaks.com/topic/64821-encryption/#findComment-323371
Share on other sites

Well it's just a Password and a Validation code that I generate then send to the user's Email Address so they can validate their account. I md5 then base 64 encode the former the latter is just md5-ed.

 

I'm wondering how companies such as IPS and Jelsoft approach this when making their Forum software, anyone have any ideas? I know IPB use some kind of "stronghold Cookie" not sure about VB.

 

I'm just thinking they are successful companies with successful software so the way they do it must be safe, anyone know how? Thanks again.

 

 

Link to comment
https://forums.phpfreaks.com/topic/64821-encryption/#findComment-323373
Share on other sites

Yes I've thought about using sha1 but md5 seems to be used in all web-based software I have came across to date. I've also read about salt keys, I believe IPB uses them. I'll go read about them. *Sorry if this ends up being a double post if no-one replied before this/after the other.*

Link to comment
https://forums.phpfreaks.com/topic/64821-encryption/#findComment-323375
Share on other sites

Ok so it must be pretty damn secure, maybe I could go an extra length and use Sessions AND a Cookie? In fact I think I had a clever idea...have a Cookie made when the user first registers that just contains a really long string...letters and numbers then everytime they login check to see if that cookie exists basically this would mean if you didn't actually register you wouldn't be able to login. Of course if a client deletes the Cookie they are kind of screwed though... =\

 

I guess if I just md5() the Username AND Password then that should be ok, right?

Link to comment
https://forums.phpfreaks.com/topic/64821-encryption/#findComment-323384
Share on other sites

and they can't use another browser or computer or run a disk clean up.. may want to rethink that lol

 

why MD5 the Username ?

 

remember MD5 is ONEWAY encryption.. also as a note if the salt it know then someone can write a brute force cracker..

 

and the login page isn't going to be the problem.. its more common for someone to get a membership then look for holes after the login page.

Link to comment
https://forums.phpfreaks.com/topic/64821-encryption/#findComment-323419
Share on other sites

You're right that was a bad idea...  ;D

 

So if I just use MD5 and Salt and make sure no-one could possibly find out the salt key? Maybe I could change the salt key on each login then set a cookie? Or...I could just shut up and do it normally.  ;D

 

I just want it to be secure 'cause hopefully eventually it's going to be a big project...

Link to comment
https://forums.phpfreaks.com/topic/64821-encryption/#findComment-323423
Share on other sites

don't change it unless they change the password then generate a new one..

 

save some areas of security for the login page, ie

detecting someone trying every possible password (aka brute force) thus after 5 attemps the account is surspended for 30 minutes, if the same ip attemps to login more that 10 time (no matter what the account name) that IP is banned for 30 minutes etc

 

theirs some nice ones i use.. get your thinking cap on

 

oh the reason i use 30 minutes is if you done 100days you may get someone could ban all your members..

 

oh yeah have a display and a login name never show the login name (kinda like a 2nd password), also you need a forgot password, forgot username page ;)

 

 

Link to comment
https://forums.phpfreaks.com/topic/64821-encryption/#findComment-323432
Share on other sites

I think you know basics of oops

 

<?php
class Crypter{

  var $key;


  function Crypter($clave){
     $this->key = $clave;
  }

    function setKey($clave){
     $this->key = $clave;
  }
  
  function keyED($txt) { 
     $encrypt_key = md5($this->key); 
     $ctr=0; 
     $tmp = ""; 
     for ($i=0;$i<strlen($txt);$i++) { 
        if ($ctr==strlen($encrypt_key)) $ctr=0; 
        $tmp.= substr($txt,$i,1) ^ substr($encrypt_key,$ctr,1); 
        $ctr++; 
     } 
     return $tmp; 
  } 
  
  function encrypt($txt){ 
     srand((double)microtime()*1000000); 
     $encrypt_key = md5(rand(0,32000)); 
     $ctr=0; 
     $tmp = ""; 
     for ($i=0;$i<strlen($txt);$i++){ 
        if ($ctr==strlen($encrypt_key)) $ctr=0; 
        $tmp.= substr($encrypt_key,$ctr,1) . 
            (substr($txt,$i,1) ^ substr($encrypt_key,$ctr,1)); 
        $ctr++; 
     } 
     return base64_encode($this->keyED($tmp)); 
  } 

  function decrypt($txt) { 
     $txt = $this->keyED(base64_decode($txt)); 
     $tmp = ""; 
     for ($i=0;$i<strlen($txt);$i++){ 
        $md5 = substr($txt,$i,1); 
        $i++; 
        $tmp.= (substr($txt,$i,1) ^ $md5); 
     } 
     return $tmp; 
  } 

}
?>

Link to comment
https://forums.phpfreaks.com/topic/64821-encryption/#findComment-323442
Share on other sites

Well thanks for posting code snippets and stuff but I don't understand them and until I do I'm not going to implement them.

 

Basically although this is a big project that I'm working on I'm making sure I only use code that I understand so of course at first it's going to be simple but not only is this a project it's also how I plan to learn PHP.  :)

 

Oh and jitesh you should use

<br />

not

<br>

lol...sorry I had to.

Link to comment
https://forums.phpfreaks.com/topic/64821-encryption/#findComment-323467
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.