Upload
prodigyview
View
3.040
Download
4
Tags:
Embed Size (px)
DESCRIPTION
Learn how to create secure logins by properly hashing passwords and using SALT.
Citation preview
Storing A User’s Password
Standard issue for having access to a site is a user’s password with an association to a username or email address.
BAD PRACTICE !!!!
www.prodigyview.com
Storing Passwords in Plain Text
On the previous slide, the password was in plain text. THIS IS VERY BAD PRACTICE!
1. If the database is hacked/stolen, users account will be at risk.
2. The user’s information could be at risk from members of the internal organization
MD5 HashingOne answer to solving the problem is MD5 hashing. Before the password is actually inserted in the database, hash it with md5.
Problem with MD5 Hash
MD5 hashing is great, except for one small problem. There is a dictionary list of md5 hashes. Just Google the hashed code and see for yourself.
www.prodigyview.com
Dictionary List and Attacks
A dictionary list is a library of hashed values and their corresponding unhashed strings.
In other words, it’s a way of decoding md5 hashed passwords.
A dictionary list can be built using other hashing algorithms such as sha1().
How do we get around this?
www.prodigyview.com
SALT!Salt is adding a string of text as part of the encryption process. This can prevent basic dictionary list from being formed.
Google the SALTed HashA Google search for the salted hash will give these results. This is what we want.
www.prodigyview.com
A Small Problem with SALT
We are about to make things a little more complex. SALT is great because is HARD to make a dictionary list but NOT IMPOSSIBLE.
The way around this problem to find some way making a unique SALT for each user. Our next slide is one of many ways of making a unique SALT for extra security.
www.prodigyview.com
Use Two IDsA user login’s with their email and password. For our salt to work, lets add in a third login field. Make each user have their own unique pin number that is required to login. The pin number will be the SALT.
PHP CryptPHP has a function design for securing a user’s password. It will use standard Unix DES algorithm but can be configured to use others. The function also supports SALT.
http://php.net/manual/en/function.crypt.php
www.prodigyview.com
More Tutorials
For more tutorials, please visit:
http://www.prodigyview.com/tutorials