[thelist] Re: best way to check for valid user/password in PHP

Aleem Bawany aleem.bawany at utoronto.ca
Fri Jan 10 09:28:01 CST 2003


> If you create an MD5 hash of a password and store it, then
> you might as well have just stored the password in
> plain-text, because it's not the PASSWORD that you're
> using any more, it's the MD5 hash. Which means although

That's the point! No one can get the password, not even
the site owner himself. If I have a generic password
(which lots of people do), then you can see my plain-text
password and use it on say my hotmail account. The point is,
once the user enters a password, you hash it and compare it
to the encrypted password, if it matched the user entered
the right password.

One-way encryption is a good thing! Believe me you wouldn't
want it any other way (PGP is somewhat different in that it
uses primes).

> Always, always use your database's built-in functionality
> for creating passwords or encrypted fields, unless you
> know you can do better. (Can you, really?)

The MySQL documentation recommends using MD5 or some other
one-way encryption scheme to store passwords (watch for
wrap):

http://www.mysql.com/documentation/mysql/bychapter/manual_MySQL_Database
_Administration.html#Privilege_system

Besides, even if the DB has a built-in encryption
scheme it's definetly a one-way encryption scheme.

> functions really are one-way encrypted. This means that
> once you put the plain-text in, you can never know what
> it is unless you can brute-force it. The encrypted value
[...]
> Another extremely important point is that very few
> databases use MD5 because it's increasingly becoming
> prone to attack. There are huge databases of pre-computed
> MD5 dictionaries that cover enormous combinations of

Absolutely not. Very rarely will two words ever hash to the
same key. A dictionary or brute force attack is when you
run common words, encrypt them and check to see if they
hash to the same key (if you were using a plain-text you'd
be already compromised and if you were using something like
a two-way password, then if one password got comprimsed,
all passwords would be compromised). Besides it's not possible
to run all possible letter/word combinations in a brute
force attack in reasonable time.

That is why you should enforce minimum 8 character passwords,
there's more permutations of 8 chars then say 4. That's also
the reason why you should use upper/lower case passwords. If
I knew all your passwords were lower case and 3 chars I could
test abc, acb, bca, bac, cba, cab and I'd be done. With mixed
case I'd need to test for ABc,AbC, aBc,.. BCa,BcA... you
get the idea.

Whatever you do, always use MD5 or crypt or some other such
scheme to store passwords in a database, that way I know
that even if someone hacks your database, my password will
be protected because I chose a "good password".

<tip type="choosing a good password" author="aleem">
Use the MHALL trick to choose a good password. MHALL
stands for Mary Had A Little Lamb, and associating each
letter of the password with a word in a sentence makes
it easier to remember and less prone to being a dictionary
word (which is easier to crack). So something like
WeTimup would never be guessed but the author of the password
knows it means: Web evolt, This is my usual pass (indicating
it's a password for a (W)ebsite, whose domain is (e)volt.org
and is follow by the usual/generic password.

Goes without saying, always use numbers and if possible
characters (%#$!) for the most secure password.
</tip>

<tip type="THE Password Management Tool" author="Aleem">
If you are like me and keep forgetting your passwords
and all the sites you are registered at, then try Password
Safe ( http://www.counterpane.com/passsafe.html ) which
stores all your passwords in one database, protected by
a master password. Rest assured it's very secure and
backed by one of the world's leading security experts.

Remember to backup your password database at multiple
locations or by mailing it to yourself elsewhere. You
can even ask your friends to store it on their computers,
If you chose a "good password", it's completely safe.
</tip>


[ http://members.evolt.org/aleem/ ]




More information about the thelist mailing list