[imp] Newbie question - got it installed. now what ?

James Murchison james at un.net.au
Mon Jun 16 21:03:34 PDT 2003 

Scott your suggestion sounds great, but don't you think its a little
deep for a "NewBie"?

James Murchison
Unlimited Networks

-----Original Message-----
From: imp-bounces at lists.horde.org [mailto:imp-bounces at lists.horde.org]
On Behalf Of Scott Courtney
Sent: Tuesday, 17 June 2003 1:48 PM
To: Eric Rostetter; imp at lists.horde.org
Subject: Re: [imp] Newbie question - got it installed. now what ?


On Monday 16 June 2003 23:21, Eric Rostetter wrote:
> > insert into horde_users values ('test', PASSWORD('test'));
>
> You need to use md5() instead of password().

Okay, someone said suggestions were okay on the list, so here's mine for
today:

Having a password column that contains only the crypted password (md5 or
whatever) is not as good a security practice as having a more variable
password.

I've written a PHP-based content management framework for a news portal
site that I run. Here's what I do for password storage:

(This is pseudocode, not actual PHP...)

    $rand_val = string_value(random_integer_between(100000,999999));
    $crypto = md5($rand_val . "\n" . $username . "\n" . $password);
    $password_column = $rand_val . ":" . $crypto;

So a username of "scott" and password of "secret" and pseudo-random
value of "551783" stores "551783:d55a20645f151e0ca157df92d448547a" in
the password column of the database. The newline characters in the
cleartext that gets hashed by md5() are there because this is a
character that can be unambiguously filtered out of username and
password inputs.

To check the password, take the credentials presented by the user, read
the pseudo-random value from the database, and use that value to crypt
the credentials using the same algorithm. If they match, good login.

This approach won't work for using MySQL's own direct authentication,
but if your code does its own authentication check in PHP, this is more
secure than just hashing the password itself.

With this approach, the password column in the database is not the same
for two users who happen to choose the same password. The idea is that
the values of the password column in the database aren't directly
attackable by a single dictionary attack. You have to dictionary attack
on each pseudo-random value that appears, and for each different
username, not just once for each resulting md5() hash.

If you're interested in seeing my code, I'll be glad to send a snippet
off- list. I've released my stuff GPL, so you're free to use it if you
find it helpful in any way.

This certainly isn't rock-solid, but it's an improvement in security and
it comes at minimal cost in terms of code complexity.

Scott

-- 
-----------------------+------------------------------------------------
-----------------------+------
Scott Courtney         | "I don't mind Microsoft making money. I mind
them
courtney at 4th.com       | having a bad operating system."    -- Linus
Torvalds
http://4th.com/        | ("The Rebel Code," NY Times, 21 February 1999)
                       | PGP Public Key at
http://4th.com/keys/courtney.pubkey


-- 
IMP mailing list
Frequently Asked Questions: http://horde.org/faq/
To unsubscribe, mail: imp-unsubscribe at lists.horde.org

More information about the imp mailing list