Back to General and Gameplay Programming

Password Submission

Omaha · 2005-06-04T20:18:05

Although I won't be storing credit card numbers or home addresses or anything, eventually I'm going to get around to implementing a registration system on my website where users can sign up with a handle and then use this to add to a comments section for each post or a forum or whatnot. In the past what I've done is stored the information in a table, simply enough. Omitting other columns, the three basic ones were Username, Email, and Password. For security I did not store the password itself of course, but rather the MD5 checksum thereof. In this way anyone who DID get to the database wouldn't get password information of use. (Unless MD5 has been cracked, which I haven't heard of.) However, I question the right way to validate passwords. What I have done in the past is had an HTML form with a Username and Password text input, which then passes that information via POST to a script that submits a query along the lines of SELECT COUNT FROM Users WHERE Username='(what he typed)' AND Password=MD5('(what else he typed)')) But I question if the transition from one page to the next, where the username and password are being sent via POST from one script to the next is safe. It's a simple pipe between processes, but I wonder if that's exploitable. Additionally, if I did want to eliminate that issue and thus just send the MD5 sum through POST instead of the password itself, how I could transform the form input before send it through output. I have done something remotely similar in the past where the form that is used to add content to the site has a submit button that actually invokes a &#106avascript function that checks to see if a "safety" checkbox has been checked (to prevent my frequent arm spasms from posting half a headline) and then submits or informs the user that the safety is turned off (or on, depending on how you look at it, I guess) and returns harmlessly. I don't think &#106avascript has an inbuilt MD5 transformation. Being a big fan of procedurally generated content, all of my pages are done in PHP, and knowing that it's a preprocessor I don't think there would be a way to route the output through the PHP MD5 function during submission... would another scripting language fill this gap, or am I just addressing a non-issue? Like I said, there is nothing extremely sensitive (or rather will be, I haven't gotten that far yet, still setting up site infrastructure) in the user database but I'd like people to know that their passwords are secure, and the POST submission is the only place I see where it is being sent in its raw format and was curious if this is A: a hole and B: if it can be plugged.

General and Gameplay Programming Programming

Started by Omaha June 04, 2005 01:01 PM

12 comments, last by Inmate2993 18 years, 10 months ago

Replicon

306

June 04, 2005 02:29 PM

Another thing you should consider, if you want it to be secure, is avoidance of SQL injection. For example, suppose your login code does:

SELECT COUNT FROM Users WHERE Username='(typed)' AND Password=MD5('typed'))

and it logs you in using that, you have a major security issue. If I type in

Username: "some_real_user' --" (without the quotes)

then look at the happens to the SQL:

SELECT COUNT FROM Users WHERE Username='some_real_user' --' AND Password=MD5('typed'))

Anything after the '--' is commented out... so your thing becomes

SELECT COUNT FROM Users WHERE Username='some_real_user'

Uh oh...

What you should do, as a rule, is use Bind variables (or "prepared statements", in the Java world). The way it works is, you put placeholders into your SQL code as so:

SELECT COUNT FROM Users WHERE Username=:userName AND Password=:md5Passwd

(assuming your do your encryption on the client side...whatever)

then, in your code, you populate some data structure (strings or whatever you need in your sql) with what the user types. Then, you don't need to worry about checking for these things. As an added bonus, you only need to compile your SQL statements once, and then just re-use them with different bind variables.

Omaha

100

Author

June 04, 2005 06:25 PM

Quote:You do realise than any checksum is bound to have collisions? Otherwise it's actually a compression alogorithm in disguise.

Allow me to retro-interject "will work without collisions for my purposes." My point about programmers in the same room is proven. :P

Omaha

100

Author

June 04, 2005 06:27 PM

Quote:Original post by Replicon
Another thing you should consider, if you want it to be secure, is avoidance of SQL injection. For example, suppose your login code does:

Interesting, thank you. I'm only a basic SQL guy and this information is new and useful to me!

Inmate2993

222

June 04, 2005 08:18 PM

MD5 has been cracked, yes, but not in that they can use an MD5 checksum to get a list of viable passwords, but rather the time it takes to bruteforce a password that generates the same stored hash has been reduced enough that it can be done within a feasible length of time.

Anyways, what your system should do is store the IP address of who logged in (or their whois reverse lookup), and mark them as logged into the database, with a scheduled inactivity logout. That way, they can't be spoofed while they're in the system and between pages.

Also, for some serious security, extent the length of the passwords from 8 to 1024, and tell them that a passphrase is a better idea. The sheer length makes it much harder to crack.

william bubel

Password Submission

This topic is closed to new replies.

Popular Topics

Recommended Tutorials

Password Submission

This topic is closed to new replies.

Popular Topics

Recommended Tutorials

Reticulating splines