<?xml version="1.0" encoding="UTF-8"?><!-- generator="wordpress/2.0.4" -->
<rss version="2.0" 
	xmlns:content="http://purl.org/rss/1.0/modules/content/">
<channel>
	<title>Comments on: Handling passwords safely in PHP</title>
	<link>http://phpit.net/article/handling-passwords-safely-php/</link>
	<description>PHPit has dozens of PHP articles, codesnippets and FAQ's.</description>
	<pubDate>Fri, 01 Aug 2008 23:56:21 +0000</pubDate>
	<generator>http://wordpress.org/?v=2.0.4</generator>

	<item>
		<title>by: Joe</title>
		<link>http://phpit.net/article/handling-passwords-safely-php/#comment-7734</link>
		<pubDate>Mon, 17 Jul 2006 11:11:33 +0000</pubDate>
		<guid>http://phpit.net/article/handling-passwords-safely-php/#comment-7734</guid>
					<description>Wow I really a complete beginner on all of this, can someone tell me what passwords we are talking about here?

Are they the passwords that users of a forum use to login to a forum or are they admin passwords?

I sorry if I've missed something here, as I've said I'm a complete beginner.

Thanks

Joe</description>
		<content:encoded><![CDATA[<p>Wow I really a complete beginner on all of this, can someone tell me what passwords we are talking about here?</p>
<p>Are they the passwords that users of a forum use to login to a forum or are they admin passwords?</p>
<p>I sorry if I&#8217;ve missed something here, as I&#8217;ve said I&#8217;m a complete beginner.</p>
<p>Thanks</p>
<p>Joe
</p>
]]></content:encoded>
				</item>
	<item>
		<title>by: Vong</title>
		<link>http://phpit.net/article/handling-passwords-safely-php/#comment-7293</link>
		<pubDate>Tue, 11 Jul 2006 11:40:21 +0000</pubDate>
		<guid>http://phpit.net/article/handling-passwords-safely-php/#comment-7293</guid>
					<description>I don't think MD5 or SHA-1 can be this easily decrypted. You can read this blog about breaking SHA-1 http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html .

What md5encryption.com does, IMHO, is building a dictionary online. When you hash a message, it would store it along its hash, either SHA-1 or MD5, then, when you "decrypt" it, it would simply retrieve the text.

Just try hashing something on your machine, and then "decrypting" it...

So be smart, and don't fuel the dictionary...</description>
		<content:encoded><![CDATA[<p>I don&#8217;t think MD5 or SHA-1 can be this easily decrypted. You can read this blog about breaking SHA-1 <a href='http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html' rel='nofollow'>http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html</a> .</p>
<p>What md5encryption.com does, IMHO, is building a dictionary online. When you hash a message, it would store it along its hash, either SHA-1 or MD5, then, when you &#8220;decrypt&#8221; it, it would simply retrieve the text.</p>
<p>Just try hashing something on your machine, and then &#8220;decrypting&#8221; it&#8230;</p>
<p>So be smart, and don&#8217;t fuel the dictionary&#8230;
</p>
]]></content:encoded>
				</item>
	<item>
		<title>by: Errol</title>
		<link>http://phpit.net/article/handling-passwords-safely-php/#comment-6052</link>
		<pubDate>Thu, 29 Jun 2006 20:23:48 +0000</pubDate>
		<guid>http://phpit.net/article/handling-passwords-safely-php/#comment-6052</guid>
					<description>Why not just add to the hash by corrupting it? For example, if you remove characters or add them to the hashed string, then you can't decrypt them (unless you know what was lost or added).</description>
		<content:encoded><![CDATA[<p>Why not just add to the hash by corrupting it? For example, if you remove characters or add them to the hashed string, then you can&#8217;t decrypt them (unless you know what was lost or added).
</p>
]]></content:encoded>
				</item>
	<item>
		<title>by: Nilesh</title>
		<link>http://phpit.net/article/handling-passwords-safely-php/#comment-5699</link>
		<pubDate>Mon, 26 Jun 2006 18:19:12 +0000</pubDate>
		<guid>http://phpit.net/article/handling-passwords-safely-php/#comment-5699</guid>
					<description>SH1 or MD5 can be decrypted , so be smart and dont use the raw info as the cookie info or whatever,

see here is the way you can decrypt the SH1 or MD5 crypted text,
http://www.md5encryption.com/?mod=decrypt

you been warned :)</description>
		<content:encoded><![CDATA[<p>SH1 or MD5 can be decrypted , so be smart and dont use the raw info as the cookie info or whatever,</p>
<p>see here is the way you can decrypt the SH1 or MD5 crypted text,<br />
<a href='http://www.md5encryption.com/?mod=decrypt' rel='nofollow'>http://www.md5encryption.com/?mod=decrypt</a></p>
<p>you been warned :)
</p>
]]></content:encoded>
				</item>
	<item>
		<title>by: nesianstyles</title>
		<link>http://phpit.net/article/handling-passwords-safely-php/#comment-1391</link>
		<pubDate>Tue, 25 Apr 2006 23:50:30 +0000</pubDate>
		<guid>http://phpit.net/article/handling-passwords-safely-php/#comment-1391</guid>
					<description>Just a note, doing something like md5(md5($data)) does not make it any more secure.
In fact, it actually makes it less secure because there is more chance of a collision.</description>
		<content:encoded><![CDATA[<p>Just a note, doing something like md5(md5($data)) does not make it any more secure.<br />
In fact, it actually makes it less secure because there is more chance of a collision.
</p>
]]></content:encoded>
				</item>
	<item>
		<title>by: Arnold Daniels</title>
		<link>http://phpit.net/article/handling-passwords-safely-php/#comment-1127</link>
		<pubDate>Wed, 12 Apr 2006 20:54:10 +0000</pubDate>
		<guid>http://phpit.net/article/handling-passwords-safely-php/#comment-1127</guid>
					<description>As long as a user doesn't turn off (standby, sleepmode, etc) his computer, the computer will keep his IP lease. So browsing through the app shouldn't give any problems. If the user goes for a cup of coffee and returns to his computer, he might need to re-enter his username and password when he return.
This is very rare though, since an ip-lease usualy last for 24 hours, meaning you have to turn your computer off for 24 hours to loose your ip and get a new one.

Saving the user agent, language, etc. does not add security, because there parameters are send by the client to the browser in the http-request. A hacker may simply copy the parameters (or even the whole http-header) of the client.
Please have a look at: http://web-sniffer.net/.
To the contrary, the ip is grapped from the socket connection, being the actual ip which is connected. Faking another ip is impossible... or atleast very hard.

If you realy want you could simply leave out the ip from the session_pwd without reducing a lot of security, since the cookie identifies the computer.

Arnold Daniels
http://www.helderhosting.nl</description>
		<content:encoded><![CDATA[<p>As long as a user doesn&#8217;t turn off (standby, sleepmode, etc) his computer, the computer will keep his IP lease. So browsing through the app shouldn&#8217;t give any problems. If the user goes for a cup of coffee and returns to his computer, he might need to re-enter his username and password when he return.<br />
This is very rare though, since an ip-lease usualy last for 24 hours, meaning you have to turn your computer off for 24 hours to loose your ip and get a new one.</p>
<p>Saving the user agent, language, etc. does not add security, because there parameters are send by the client to the browser in the http-request. A hacker may simply copy the parameters (or even the whole http-header) of the client.<br />
Please have a look at: <a href='http://web-sniffer.net/.' rel='nofollow'>http://web-sniffer.net/.</a><br />
To the contrary, the ip is grapped from the socket connection, being the actual ip which is connected. Faking another ip is impossible&#8230; or atleast very hard.</p>
<p>If you realy want you could simply leave out the ip from the session_pwd without reducing a lot of security, since the cookie identifies the computer.</p>
<p>Arnold Daniels<br />
<a href='http://www.helderhosting.nl' rel='nofollow'>http://www.helderhosting.nl</a>
</p>
]]></content:encoded>
				</item>
	<item>
		<title>by: Dennis Pallett</title>
		<link>http://phpit.net/article/handling-passwords-safely-php/#comment-1125</link>
		<pubDate>Wed, 12 Apr 2006 19:00:36 +0000</pubDate>
		<guid>http://phpit.net/article/handling-passwords-safely-php/#comment-1125</guid>
					<description>Hey Arnold,

You're pretty much right about most things, but I disagree about tying Sessions to IP address, because it doesn't work in practice. Many big ISP's (like AOL) actually share IP address among its thousands of users, and even worse, it's possible for a user to get a different IP address between pageviews. If their session is tied to their IP address, they'd keep losing their session data.

That's why I opted to use other data, like the user agent and language set in the browser, because that's much less likely to change.

Also, hashing on the client side can work, if you don't use a salt on the server side. When hashing the password on the client side, you should include the timestamp in the hash (i.e. md5(password+timestamp), and send the timestamp along. On the server side you check the hash, but you also check to make sure the timestamp is recent enough (.e.g older than 30 seconds, and its invalid). This means any one who intercepts the request can't do much with the hash. Nor can they change the timestamp, as the hash won't match then.</description>
		<content:encoded><![CDATA[<p>Hey Arnold,</p>
<p>You&#8217;re pretty much right about most things, but I disagree about tying Sessions to IP address, because it doesn&#8217;t work in practice. Many big ISP&#8217;s (like AOL) actually share IP address among its thousands of users, and even worse, it&#8217;s possible for a user to get a different IP address between pageviews. If their session is tied to their IP address, they&#8217;d keep losing their session data.</p>
<p>That&#8217;s why I opted to use other data, like the user agent and language set in the browser, because that&#8217;s much less likely to change.</p>
<p>Also, hashing on the client side can work, if you don&#8217;t use a salt on the server side. When hashing the password on the client side, you should include the timestamp in the hash (i.e. md5(password+timestamp), and send the timestamp along. On the server side you check the hash, but you also check to make sure the timestamp is recent enough (.e.g older than 30 seconds, and its invalid). This means any one who intercepts the request can&#8217;t do much with the hash. Nor can they change the timestamp, as the hash won&#8217;t match then.
</p>
]]></content:encoded>
				</item>
	<item>
		<title>by: Arnold Daniels</title>
		<link>http://phpit.net/article/handling-passwords-safely-php/#comment-1103</link>
		<pubDate>Wed, 12 Apr 2006 01:01:35 +0000</pubDate>
		<guid>http://phpit.net/article/handling-passwords-safely-php/#comment-1103</guid>
					<description>&lt;code&gt;
     $ip = getenv('REMOTE_ADDR');
     $key = md5(microtime());
     setcookie('session_key', $key);
     $_SESSION['user_id'] = $user['id'];
     $_SESSION['ip'] = $ip;
     $_SESSION['session_pwd'] = md5($user['salt'] . $user['id'] . session_id() . $ip . $key);
&lt;/code&gt;</description>
		<content:encoded><![CDATA[<p><code><br />
     $ip = getenv('REMOTE_ADDR');<br />
     $key = md5(microtime());<br />
     setcookie('session_key', $key);<br />
     $_SESSION['user_id'] = $user['id'];<br />
     $_SESSION['ip'] = $ip;<br />
     $_SESSION['session_pwd'] = md5($user['salt'] . $user['id'] . session_id() . $ip . $key);<br />
</code>
</p>
]]></content:encoded>
				</item>
	<item>
		<title>by: Arnold Daniels</title>
		<link>http://phpit.net/article/handling-passwords-safely-php/#comment-1102</link>
		<pubDate>Wed, 12 Apr 2006 00:59:54 +0000</pubDate>
		<guid>http://phpit.net/article/handling-passwords-safely-php/#comment-1102</guid>
					<description>It's me again :)

Having another look at my Authenticator class, i've noticed that I've done you a bit short telling that simply saving a random key in a cookie and save the hash of that key in the session would protect you from file-editing attacks. Since the hacker can simply set his own cookie and change the hash to match, this has isn't making you app more secure.

Instead you want to prevent the hacker from changing the authorizing data in the sessionfile. By creating a hash combining user salt, user id, session id, ip and key, it is not possible for the hacker to change any of this data without knowing the user salt.



K, hope it helps.
Arnold</description>
		<content:encoded><![CDATA[<p>It&#8217;s me again :)</p>
<p>Having another look at my Authenticator class, i&#8217;ve noticed that I&#8217;ve done you a bit short telling that simply saving a random key in a cookie and save the hash of that key in the session would protect you from file-editing attacks. Since the hacker can simply set his own cookie and change the hash to match, this has isn&#8217;t making you app more secure.</p>
<p>Instead you want to prevent the hacker from changing the authorizing data in the sessionfile. By creating a hash combining user salt, user id, session id, ip and key, it is not possible for the hacker to change any of this data without knowing the user salt.</p>
<p>K, hope it helps.<br />
Arnold
</p>
]]></content:encoded>
				</item>
	<item>
		<title>by: Arnold Daniels</title>
		<link>http://phpit.net/article/handling-passwords-safely-php/#comment-1081</link>
		<pubDate>Tue, 11 Apr 2006 00:14:09 +0000</pubDate>
		<guid>http://phpit.net/article/handling-passwords-safely-php/#comment-1081</guid>
					<description>I didn't think &#60;form&#62; tags would stick. I'll retry to post the form using html entities. Lets see what happens ;)

&lt;code&gt;
   &#60;form action=&#34;http://www.yoursite.com/login.php&#34; method=&#34;POST&#34;&#62;
      &#60;b&#62;Username: &#60;/b&#62; &#60;input type=&#34;text&#34; name=&#34;username&#34; /&#62;
      &#60;b&#62;Password: &#60;/b&#62; &#60;input type=&#34;text&#34; name=&#34;secure_password&#34; id=&#34;password&#34; /&#62;

      &#60;input type=&#34;submit&#34; name=&#34;submit&#34; value=&#34;Login&#34; /&#62;
   &#60;/form&#62;
&lt;/code&gt;</description>
		<content:encoded><![CDATA[<p>I didn&#8217;t think &lt;form&gt; tags would stick. I&#8217;ll retry to post the form using html entities. Lets see what happens ;)</p>
<p><code><br />
   &lt;form action=&quot;http://www.yoursite.com/login.php&quot; method=&quot;POST&quot;&gt;<br />
      &lt;b&gt;Username: &lt;/b&gt; &lt;input type=&quot;text&quot; name=&quot;username&quot; /&gt;<br />
      &lt;b&gt;Password: &lt;/b&gt; &lt;input type=&quot;text&quot; name=&quot;secure_password&quot; id=&quot;password&quot; /&gt;</p>
<p>      &lt;input type=&quot;submit&quot; name=&quot;submit&quot; value=&quot;Login&quot; /&gt;<br />
   &lt;/form&gt;<br />
</code>
</p>
]]></content:encoded>
				</item>
</channel>
</rss>
