2. Storing A User’s Password
Standard issue for having access to a site is a user’s
password with an association to a username or email
address.
BAD PRACTICE !!!!
www.prodigyview.com
3. Storing Passwords in Plain
Text
On the previous slide, the password was in plain text.
THIS IS VERY BAD PRACTICE!
1. If the database is hacked/stolen, users account will be
at risk.
2. The user’s information could be at risk from members
of the internal organization
4. MD5 Hashing
One answer to solving the problem is MD5 hashing.
Before the password is actually inserted in the database,
hash it with md5.
5. Problem with MD5 Hash
MD5 hashing is great, except for one small problem.
There is a dictionary list of md5 hashes. Just Google the
hashed code and see for yourself.
www.prodigyview.com
6. Dictionary List and Attacks
A dictionary list is a library of hashed values and their
corresponding unhashed strings.
In other words, it’s a way of decoding md5 hashed
passwords.
A dictionary list can be built using other hashing
algorithms such as sha1().
How do we get around this?
www.prodigyview.com
7. SALT!
Salt is adding a string of text as part of the encryption
process. This can prevent basic dictionary list from being
formed.
8. Google the SALTed Hash
A Google search for the salted hash will give these
results. This is what we want.
www.prodigyview.com
9. A Small Problem with SALT
We are about to make things a little more complex. SALT
is great because is HARD to make a dictionary list but
NOT IMPOSSIBLE.
The way around this problem to find some way making a
unique SALT for each user. Our next slide is one of
many ways of making a unique SALT for extra security.
www.prodigyview.com
10. Use Two IDs
A user login’s with their email and password. For our salt
to work, lets add in a third login field. Make each user
have their own unique pin number that is required to
login. The pin number will be the SALT.
11. PHP Crypt
PHP has a function design for securing a user’s password. It
will use standard Unix DES algorithm but can be configured to
use others. The function also supports SALT.
http://php.net/manual/en/function.crypt.php
12. More Tutorials
For more tutorials, please visit:
http://www.prodigyview.com/tutorials
www.prodigyview.com