Storing A User’s PasswordStandard issue for having access to a site is a user’spassword with an association to a username or emailaddress. BAD PRACTICE !!!! www.prodigyview.com
Storing Passwords in Plain TextOn the previous slide, the password was in plain text.THIS IS VERY BAD PRACTICE!1. If the database is hacked/stolen, users account will be at risk.2. The user’s information could be at risk from members of the internal organization
MD5 HashingOne answer to solving the problem is MD5 hashing.Before the password is actually inserted in the database,hash it with md5.
Problem with MD5 HashMD5 hashing is great, except for one small problem.There is a dictionary list of md5 hashes. Just Google thehashed code and see for yourself. www.prodigyview.com
Dictionary List and AttacksA dictionary list is a library of hashed values and theircorresponding unhashed strings.In other words, it’s a way of decoding md5 hashedpasswords.A dictionary list can be built using other hashingalgorithms such as sha1(). How do we get around this? www.prodigyview.com
SALT!Salt is adding a string of text as part of the encryptionprocess. This can prevent basic dictionary list from beingformed.
Google the SALTed HashA Google search for the salted hash will give theseresults. This is what we want. www.prodigyview.com
A Small Problem with SALTWe are about to make things a little more complex. SALTis great because is HARD to make a dictionary list butNOT IMPOSSIBLE.The way around this problem to find some way making aunique SALT for each user. Our next slide is one ofmany ways of making a unique SALT for extra security. www.prodigyview.com
Use Two IDsA user login’s with their email and password. For our saltto work, lets add in a third login field. Make each userhave their own unique pin number that is required tologin. The pin number will be the SALT.
PHP CryptPHP has a function design for securing a user’s password. Itwill use standard Unix DES algorithm but can be configured touse others. The function also supports SALT. http://php.net/manual/en/function.crypt.php
More TutorialsFor more tutorials, please visit:http://www.prodigyview.com/tutorials www.prodigyview.com