Monday 3rd March 2008
by Sajith M.R
Can you recheck your first php program which you have done with database backend support. Is there any password storing field in that ?.
If so you might saved your password as its plain text format without any encryption or hashing , right ? If not, you are very genius programmer by birth. What would happen if your database is leaked or somebody hacked your database, after you hosted your website and a lots of user registered or submitted their account with password. You are trapped. The hacker can access the user account by acquiring the password (saved without any encryption). The user can sue you for publishing his password open. So beware of this password saving while doing big project which is being hosted for a huge public usage.
Then what are the mechanism for saving password in database ?
One is you can save password after digesting or hashing , and and while rechecking the account or login you can compared the hash of password entered with the password stored in database. For that in php you can use this function:
<?php $hash_password = sha1($password); ?>
Is this method all enough for full security. No , Never. For example, if you already know somebody’s password, say Sanjay’s password is : access, and you got the database and you will get the hash encoded string of the password: access. Suppose “XYZ123#@!” is the hash password got from database. Then you can reverse compare whether there any other user having hash text with “XYZ123#@!”, and thus you can get the password of that particular user. Hacked Again !!!
How to avoid this. Yes solution is Salting. Add some salt(random string) to current password and hash the whole password and save in database. Remember to save the salt value too in another field of the table , for rechecking the account login. Then for same password say”accesss”, you will get different hash digests. Thus the reverse caparison from know password can be avoided.
<?php
$salt = rand(1000,99999);
$hash_password = sha1($password . $salt ); ?>
Is this all enough for full security. Need not to think about the same salt for same password while creating random salt value. The probability for that is .00000….followed by 1000000 zeros …1 . Means Never.
But we are not taking risk. Add some more information to the password before hashing it. Generate a global constant string that only know to the programmer say : &555$34E$ and call it Global pattern . Append this string also with password+salt string before hashing. This will create more secured digest for your password. Remember , never forgot or miss this Global pattern, otherwise you can never check the login password later. (And it is not like the salt, the value of salt is there in database table) .
<?php $hash_password = sha1($password . $salt . auth::GlobalPattern()); ?>
Enough … No one can hack your password now, even though he get your database. Okay .
(Saving encrypted password also helps to avoid sql injection)
Okay, enjoy programming.
Your’s Sajith
Hi. EMAIL ME!!! I’m hacker. Can get you a myspace, facebook,yahoo,msn/hotmail, gmail, aol…etc password. I do charge money though,but will show proof i have it. Are you interested? please email me at fordtrucks90@live.com (I was formly known as fordf202006 on yahoo but my account was deleted)
Good article! Thanks a lot.
Absence of salt would store the plain hashed password in the table. As mentioned in the post, if the table is extracted some how then the intruder can find a match for his hash.
The chances of this happening is considerably low, but adding Salt would make a significant improvement in security.
What if Salt value is not added to DB table ?
Currently databases are the most targeted objects by hackers, it is really important to keep them safe.
hi. I am a hacker. I can get you an aol,yahoo,myspace,facebook,gmail…etc password. I do charge a fee to get a password though. Once i do get password i’ll show you proof i have it. Are you interested? E-mail me at Fordf202006@yahoo.com
select u.user from table as u where u.password=sha1(concat(‘access’, u.salt, ‘hackedglobalpattern’));
like the window showing the visitor’s location in map. how can i get it for my page?
BS at psbabusyed@gmail.com
Great! Thanks for clearing that up
Hi Binny,
$md5_password was a mistake happened while copy-pasting . I edited that in article now. And about the checking in login, see below.
The salt is created by random, but you have to save this salt in another filed into your database table (that i mentioned in this article). So when login check, what you have to do is:
1) Get the saved salt from database table. (Select salt from table where username = ‘Sanjay’);
2) Recreate the hash from user entered password . say $password
3) Calculate the hash digest from the former formula.
< ?php $hash_password = sha1($password . $salt . auth::GlobalPattern()); ?>
4) Get the saved hash say $saved_hash from table (Select password from table where user=’Sanjay’);
5) Compare both. $hash_password and $saved_hash
6) If both are equal login, else invalid password.
Thanks
Syth
Could you include the login code as well – I am not sure how to check the password with a random salt. You will need the same salt when you are authenticating.
And why are you naming the variable $md5_password? You are using sha1 – so it should be called $sha1_password.