[imp] Newbie question - got it installed. now what ?

Marek marek at foundmoney.com
Mon Jun 16 21:38:46 PDT 2003


Well I got that to work, so Installed IMP and this is what happens when I
login using imp/login.php


Notice: Undefined index: alternate_login in
/usr/local/apache/htdocs/horde/imp/login.php on line 94

Warning: Cannot modify header information - headers already sent by (output
started at /usr/local/apache/htdocs/horde/imp/login.php:94) in
/usr/local/apache/htdocs/horde/lib/Secret.php on line 144

Warning: main(/usr/local/apache/htdocs/horde/imp/configlib/constants.php):
failed to open stream: No such file or directory in
/usr/local/apache/htdocs/horde/imp/config/prefs.php on line 6

Fatal error: main(): Failed opening required
'/usr/local/apache/htdocs/horde/imp/configlib/constants.php'
(include_path='/usr/local/lib/php/') in
/usr/local/apache/htdocs/horde/imp/config/prefs.php on line 6

Any ieads ?
Thanks !

----- Original Message -----
From: "Scott Courtney" <courtney at 4th.com>
To: "Eric Rostetter" <eric.rostetter at physics.utexas.edu>;
<imp at lists.horde.org>
Sent: Monday, June 16, 2003 11:48 PM
Subject: Re: [imp] Newbie question - got it installed. now what ?


On Monday 16 June 2003 23:21, Eric Rostetter wrote:
> > insert into horde_users values ('test', PASSWORD('test'));
>
> You need to use md5() instead of password().

Okay, someone said suggestions were okay on the list, so here's mine for
today:

Having a password column that contains only the crypted password (md5 or
whatever) is not as good a security practice as having a more variable
password.

I've written a PHP-based content management framework for a news portal
site that I run. Here's what I do for password storage:

(This is pseudocode, not actual PHP...)

    $rand_val = string_value(random_integer_between(100000,999999));
    $crypto = md5($rand_val . "\n" . $username . "\n" . $password);
    $password_column = $rand_val . ":" . $crypto;

So a username of "scott" and password of "secret" and pseudo-random value
of "551783" stores "551783:d55a20645f151e0ca157df92d448547a" in the
password column of the database. The newline characters in the cleartext
that gets hashed by md5() are there because this is a character that can
be unambiguously filtered out of username and password inputs.

To check the password, take the credentials presented by the user, read
the pseudo-random value from the database, and use that value to crypt
the credentials using the same algorithm. If they match, good login.

This approach won't work for using MySQL's own direct authentication, but
if your code does its own authentication check in PHP, this is more
secure than just hashing the password itself.

With this approach, the password column in the database is not the same
for two users who happen to choose the same password. The idea is that
the values of the password column in the database aren't directly
attackable by a single dictionary attack. You have to dictionary attack
on each pseudo-random value that appears, and for each different username,
not just once for each resulting md5() hash.

If you're interested in seeing my code, I'll be glad to send a snippet off-
list. I've released my stuff GPL, so you're free to use it if you find it
helpful in any way.

This certainly isn't rock-solid, but it's an improvement in security and
it comes at minimal cost in terms of code complexity.

Scott

--
-----------------------+----------------------------------------------------
--
Scott Courtney         | "I don't mind Microsoft making money. I mind them
courtney at 4th.com       | having a bad operating system."    -- Linus
Torvalds
http://4th.com/        | ("The Rebel Code," NY Times, 21 February 1999)
                       | PGP Public Key at
http://4th.com/keys/courtney.pubkey


--
IMP mailing list
Frequently Asked Questions: http://horde.org/faq/
To unsubscribe, mail: imp-unsubscribe at lists.horde.org






More information about the imp mailing list