Web Development

Passwords – bwoogie

bwoogie

Member

Posts: 380
From: kansas usa
Registered: 03-12-2005
Hey all, I need help coming up with a solution for my site. I need to know how to secure/encrypt my member passwords. Is md5 secure enough? A lot of people use it, but I've heard its just as good as sending plain text around... But I've seen it used with algorithms that used the time and or date to check stuff, and whatnot. Anyways, I just need some opinions and suggestions on making my site as secure as possible.

------------------
~~~boogie woogie woogie~~~

crazyishone

Member

Posts: 1685
From:
Registered: 08-25-2004
MD5 is good, but it can be fairly easily cracked via Brute Force. Try writing your own encryption algorithm and see how it goes. >:F

------------------

"The CIA must operate within the law.." - Former President Jimmy Carter, trying to solve an old problem. ;)

bwoogie

Member

Posts: 380
From: kansas usa
Registered: 03-12-2005
heh, see how it goes? like see if it gets hacked into within the first week?

thats the thing, im not a hacker so i dont know what they know so i can better secure myself.

anyways, brute force is basically when they use a dictionary and go through a list of words, right?

------------------
~~~boogie woogie woogie~~~

CPUFreak91

Member

Posts: 2337
From:
Registered: 02-01-2005
quote:
Originally posted by bwoogie:
Anyways, I just need some opinions and suggestions on making my site as secure as possible.


Md5 is ok... but if it's possible I would encrypt it with SHA, AES or Blowfish.

------------------
All Your Base Are Belong To Us!!! chown -r us ./base
"After three days without programming, life becomes meaningless.'' -- Tao of Programming Book 2

My Programming and Hacker/Geek related Blog

samw3

Member

Posts: 542
From: Toccoa, GA, USA
Registered: 08-15-2006
Yes, brute force is where the hackers just guess at passwords. One way to slow that down is to use lockouts or captchas.

MD5 and SHA1 are one way hashes. They destroy the password but the result is the same. So if you use them you will not be able to "retrieve" the password. You can only compare two hashed password and see if they are equal. MD5 is more hackable because its possible to find a collision quicker. The algorithm is (slightly) flawed.

AES and Blowfish are encryption routines. Which means of course that the data needs to be be decrypted before you can compare anything. That can be a scalability issue. (too much cpu)

There is no perfect security solution. Even if you use the best algorithms, your users could use a password like "jesus", and you could get hacked. (At least that particular account)

Another thing to think about is, "How hackable am I?" in the sense of "Am I a target? Most hackers will not even bother with a website that they cannot get credit card numbers, or some financial or other advantage(like bandwidth or filespace).

If you have time read this article on why Security is Hard:
http://c2.com/cgi/wiki?SecurityIsHard

But in a nutshell SHA1 over MD5 for hashes and AES over Blowfish for encryption and use large keys with numbers generated randomly. i.e. use http://www.random.org/

------------------
Sam Washburn

[This message has been edited by samw3 (edited March 09, 2007).]

spade89

Member

Posts: 561
From: houston,tx
Registered: 11-28-2006
are you talking over the net??or for storage?? for storage i would recommend rsa or the xor encryption(i wrote an article on ccn on that),
over the net use either blowfish or sha.

------------------
John 14:6

Jesus answered, "I am the way and the truth and the life. No one comes to the Father except through me.

bwoogie

Member

Posts: 380
From: kansas usa
Registered: 03-12-2005
Wait a second. What good is salt for? When you enter your password I (the script) have to add the salt on to the password to compare with the encrypted password in the database (which is "md5(password) & md5(salt) = encrypted password").. if they use brute force the salt will just be added on to their guessed password.


wait.. no, it wont. because they *shouldn't* be able to access my database to get the salt. right? erhm, depends... if they write their own makeshift login page, no..... but what if they were to use mine? if they ran the page normally they would have access to the salt. help?

p.s. sorry if this post sounded scattered... im trying to figure this out in my brain as i type it out. you'll find i do that a lot

------------------
~~~boogie woogie woogie~~~

MastaLlama

Member

Posts: 671
From: Houston, TX USA
Registered: 08-10-2005
what are you writing this in?
bwoogie

Member

Posts: 380
From: kansas usa
Registered: 03-12-2005
I'm writing this in php.

------------------
~~~boogie woogie woogie~~~
Jesus didn't come to save the saints.

tehriddler

Junior Member

Posts: 8
From: Portland, Oregon
Registered: 05-07-2007
Hello everyone, I'm somewhat new. I am actually trying to figure out/have figured out the same thing your talking about. One thing that I've seen is the PHP hash(); function. I actually haven't used it..yet, but I'm sure you can find a lot of information about it in the manual and online.

What I'm doing is for the login system, the user type's in their username and pass. They are then BOTH: sha1(md5(USER and PASS go here))(will make it hash() soon because you can use sha256). Then the script checks the database for user = $user and pass = $pass of course. (They will of been submitted in the same way as they were just encrypted)
This is supposed to stop hackers,
1)From brute forcing their way in, and
2)IF they get into your database, they'll have no way to decrypt EITHER the pass or user.

Hope this helps brother. Let me know if you come up with anything.

God Bless!
-Trevor