[thelist] Re: best way to check for valid user/password in PHP

Liam Delahunty ldelahunty at britstream.com
Thu Jan 9 17:44:12 CST 2003


Kelly Hallman wrote:

>>> md5 is a one-way hash because there is no feasible way to determine
>>> the original input that created the hash, ...

>> md5 is susceptible to dictionary attacks. I have a database of many
>> common passwords and the md5 ...

>To look up hashes to find the password, you'd still need to know what the
>hash for the account is...

Oh absolutely, I was just really responding to the "no feasible way to
determine..." bit because once in you could get much more. Please consider
that most "hacking" is internal, another words it's done by employees. So if
one could for instance get a dump of a database you could then parse through
all the data until you cracked some of the username/passwords. I was once
employed by a fairly large company to do a little security test of their web
system and did just that.

>In my opinion, it's still a pretty good measure of security.
I use it myself in several ways.

>Better, feasible suggestions?
It depends what you need to do. If in php as per the previous example you
can use the additional libraries for crypt / mcrypt / crc32 (never used that
myself)
http://www.php.net/manual/en/function.crypt.php
http://www.php.net/manual/en/ref.mcrypt.php
Also you could consider a double md5,
$pw2 = md5($pw);
$pw3 = md5($pw2);
which may be enough "extra security" for most uses and doesn't really have
that much of a system overhead AFAIK.

I have had occasion to use gnupg with php, http://www.gnupg.org/, and then
storing that data in the db. Obviously it all depends on what the system
does and what level of security is appropriate.

Kind regards, Liam Delahunty
Mega Products Limited, 10-11 Moor Street, Soho, London WAD NO
http://www.onlinesales.co.uk/ Open Source PHP/Myself E-commerce




More information about the thelist mailing list