Login methods?
RWB
Icrontian
I am wanting to look into a secured log in interface, but curious what I should do to get it done... how to store usernames and passwords for example. I'll try to figure it out from there, but like do I use SQL to store them or maybe a separate file like XML or something? Then use PHP to retrieve them?
0
Comments
Have an SQL database that contains the username, the password hash, and a randomly generated password salt.
The hash is the following:
The users password is retrieved from the form, and the salt is grabbed from the database using the username as the primary (unique) key.
This way, the users passwords are stored in an unbreakable form. However, this creates the problem of not being able to retrieve the passwords in case the user forgets. You'd have to create a form to generate a new password and salt, then send the user the new password and update the hash and salt in the db.
Once the data is stored, you can use any SQL compatible language to access it. I prefer PHP, so the above salt example is PHP code. Run it over an SSL connection, and you're good to go!
If you have any questions, ask away!
Take vBulletin, for another example.
You type in a new password. vBulletin takes what you typed, and appends the unique and random salt that each user has stored in the database with their user info. Then, it takes the md5 hash of the resulting string. Then, it takes the md5 hash of THAT. This is what gets stored in the database and your cookie. Anytime you type in your password, it does this process over again and compares the results.
Appending the salt means that someone couldn't reproduce your hash (putting the same word through the md5 algorithm will always give the same hash, of course, otherwise it wouldn't work) even if they knew your password. Honestly... I don't know what use that would be anyway, but there you have it.
Hopefully, you'll not have to worry about someone getting your database. However, the extra layer of protection is a good idea.
i had a former employer that SOLD an application to another company that had the weakest auth i've ever seen ever... ever...
username admin
password ' or 1=1
would get anyone in as the admin.
for the love of all things holy, please use SOMETHING to clean up user input as well or you could be asking for trouble on so many levels.