[imp] Newbie question - got it installed. now what ?

Scott Courtney courtney at 4th.com
Mon Jun 16 20:48:15 PDT 2003


On Monday 16 June 2003 23:21, Eric Rostetter wrote:
> > insert into horde_users values ('test', PASSWORD('test'));
>
> You need to use md5() instead of password().

Okay, someone said suggestions were okay on the list, so here's mine for
today:

Having a password column that contains only the crypted password (md5 or
whatever) is not as good a security practice as having a more variable
password.

I've written a PHP-based content management framework for a news portal
site that I run. Here's what I do for password storage:

(This is pseudocode, not actual PHP...)

    $rand_val = string_value(random_integer_between(100000,999999));
    $crypto = md5($rand_val . "\n" . $username . "\n" . $password);
    $password_column = $rand_val . ":" . $crypto;

So a username of "scott" and password of "secret" and pseudo-random value
of "551783" stores "551783:d55a20645f151e0ca157df92d448547a" in the
password column of the database. The newline characters in the cleartext
that gets hashed by md5() are there because this is a character that can
be unambiguously filtered out of username and password inputs.

To check the password, take the credentials presented by the user, read
the pseudo-random value from the database, and use that value to crypt
the credentials using the same algorithm. If they match, good login.

This approach won't work for using MySQL's own direct authentication, but
if your code does its own authentication check in PHP, this is more
secure than just hashing the password itself.

With this approach, the password column in the database is not the same
for two users who happen to choose the same password. The idea is that
the values of the password column in the database aren't directly
attackable by a single dictionary attack. You have to dictionary attack
on each pseudo-random value that appears, and for each different username,
not just once for each resulting md5() hash.

If you're interested in seeing my code, I'll be glad to send a snippet off-
list. I've released my stuff GPL, so you're free to use it if you find it
helpful in any way.

This certainly isn't rock-solid, but it's an improvement in security and
it comes at minimal cost in terms of code complexity.

Scott

-- 
-----------------------+------------------------------------------------------
Scott Courtney         | "I don't mind Microsoft making money. I mind them
courtney at 4th.com       | having a bad operating system."    -- Linus Torvalds
http://4th.com/        | ("The Rebel Code," NY Times, 21 February 1999)
                       | PGP Public Key at http://4th.com/keys/courtney.pubkey



More information about the imp mailing list