helraizer Posted March 6, 2008 Share Posted March 6, 2008 Hi folks, www.helraizer.co.uk/mychatbox/test/login.php5 Spent today on the login system of my site. I'm sure it is pretty secure. At the moment there is no benefit of logging in, but there will be in the not-so-distant future. Could let me know if there are any vunerabilities, please. If there are no vunerabilities, could you also let me know of that fact? Sam Link to comment Share on other sites More sharing options...
unsider Posted March 6, 2008 Share Posted March 6, 2008 I only tested out the register form, and everything worked fine, so on the surface it's good. And you should change your extension from .php5 -> .php Link to comment Share on other sites More sharing options...
helraizer Posted March 6, 2008 Author Share Posted March 6, 2008 I only tested out the register form, and everything worked fine, so on the surface it's good. And you should change your extension from .php5 -> .php My webhost support both php4 and php5 so anything with the extension .php is php4 by default and for my hit counter I'm using file_put_contents, which doesn't exist in php4. Sam Link to comment Share on other sites More sharing options...
helraizer Posted March 6, 2008 Author Share Posted March 6, 2008 No one? Only one person has tried it and registered... Please could people test it? Sam Link to comment Share on other sites More sharing options...
deadonarrival Posted March 7, 2008 Share Posted March 7, 2008 "Your username cannot be less than 4 characters." My username was exactly 4 characters, looks like you need an < instead of a <= somewhere The security 5 digit number looks like it should be the captcha field... confused me for a second. Also, I'll forget the 5 digit number - better to just stick with a password, I know you're being security conscious, but it's unlikely to make much difference other then annoy users. wtf is up with that captcha? I have to scroll down to the footnote, read it, think about it, then do it... A captcha should be something a person can do within a few seconds, but is difficult/impossible for a computer to solve. Your method is too obscure and could (with effort) be cracked anyway. If the computer can read the digits seperately, it can also decode the (presumably finite) possibilities of your stating "enter this character then that one twice". Making the user enter digits in a random order won't stop it being cracked if someone cared that much. Link to comment Share on other sites More sharing options...
helraizer Posted March 7, 2008 Author Share Posted March 7, 2008 "Your username cannot be less than 4 characters." My username was exactly 4 characters, looks like you need an < instead of a <= somewhere The security 5 digit number looks like it should be the captcha field... confused me for a second. Also, I'll forget the 5 digit number - better to just stick with a password, I know you're being security conscious, but it's unlikely to make much difference other then annoy users. wtf is up with that captcha? I have to scroll down to the footnote, read it, think about it, then do it... A captcha should be something a person can do within a few seconds, but is difficult/impossible for a computer to solve. Your method is too obscure and could (with effort) be cracked anyway. If the computer can read the digits seperately, it can also decode the (presumably finite) possibilities of your stating "enter this character then that one twice". Making the user enter digits in a random order won't stop it being cracked if someone cared that much. Fair enough about the Captcha. It may be annoying. So I'll change it to just the 6 characters straight. It was done with a random number so if the bot could read the characters it would still have only a 1 in 6 chance of getting it right. For the number you can just use 12345 if you wish, that will suffice. Changed the username problem. Sam Link to comment Share on other sites More sharing options...
deadonarrival Posted March 7, 2008 Share Posted March 7, 2008 I did, was just pointing out that it's more likely to annoy users than to add security to your site. If you're that bothered about security, make the minimum password length much longer (harder to dictionary hack) and make it have to include at least one number. Then salt it before encryption into your database. Fair enough a 5 digit number means that (at worst) 100,000 more attempts are needed for a dictionary hack to work but people are notoriously bad for entering certain numbers as PIN's - so it's actually easier to crack then requiring a longer password. Although in theory it should take 50,000 tries on average (with each dictionary word) to dictionary hack the password, it's probably more likely to be 50 tries, with a 100 max - for a high percentage of passwords, due to everyone using 00000-99999, or 12345 etc. Plus more characters is always better then more numbers. An extra digit is 10 more possibilities, an extra letter is 26 more Link to comment Share on other sites More sharing options...
helraizer Posted March 7, 2008 Author Share Posted March 7, 2008 Yeah. I understand what you're saying fully. I'm going to be using this digit in the forgotten details script. Along side username, password (if they haven't forgotten it ) and email address. Or should I just scrap it? and go with user/pass/email? Sam Link to comment Share on other sites More sharing options...
deadonarrival Posted March 7, 2008 Share Posted March 7, 2008 If they forget their email, I'd be pretty sure they've forgotten the 5 digit number aswell. Just ask for their email and maybe one item of personal data, and send account details to that email. You get the same theory, but hopefully through something they can't forget easily, rather than something they can. Eg everyone (just about) knows their own date of birth, but I can't remember my 4-digit bank PIN, which is more important than a random site's 5 digit security code Link to comment Share on other sites More sharing options...
Recommended Posts