Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Does my PHP security algorithm effectively store user credentials?

This question is about a specific programming problem I am having - I want to make sure that my code (and software algorithm) are sufficient enough to store user credentials in a database.

// Get a 32 character salt like '69Mt6nexL1rsjWnu011S53MpB/WmT4Vl'
$passwordSalt = Security::generateBase64Salt();

$user = new User();
$user->setUsername($_POST['username']);

// $_POST['password'] comes in as a 128 character string
// Client side javascript is used to sha512 the string before sending it over POST
// see http://pajhome.org.uk/crypt/md5/
// This prevents novice eavesdroppers from capturing the raw password in plaintext
$user->setPassword(
    hash('sha512', $passwordSalt.$_POST['password'])
);
$user->setPasswordSalt($passwordSalt);
$user->save();

Here's the database entry for a particular password:

alt text

Password:

69a78a7586a111b8a567b2d4f42f93f01fb59d337f7fa3c35949a66b246095778c1fa01ff4026abace476091e1e9a183bbdec1c31b12ce3f786921895c98cf6f

Salt:

69Mt6nexL1rsjWnu011S53MpB/WmT4Vl

Questions:

  • Are there any inherit flaws with this algorithm?
  • Is it OK to store the salt in the same database and table as the salt+password hash?
  • Will having a large 128 character password cause login performance issues (on a magnitude of several seconds) if I have several hundred thousand users in the table?
  • Can this data be reversed to produce the original password?

For Fun:

I'll PayPal you $5 if you can provide me with the original password using the salt and salt + password hash.

like image 829
Kirk Ouimet Avatar asked Aug 20 '10 02:08

Kirk Ouimet


People also ask

Which type of algorithm should be used when storing user credentials?

Commonly used hashing algorithms include Message Digest (MDx) algorithms, such as MD5, and Secure Hash Algorithms (SHA), such as SHA-1 and the SHA-2 family that includes the widely used SHA-256 algorithm.

Is it safe to store password in PHP?

PHP provides a native password hashing API that safely handles both hashing and verifying passwords in a secure manner. Another option is the crypt() function, which supports several hashing algorithms.

How secure is username and password in PHP?

User has to create a password and use it for login to the website. But it is very important to secure the password of the user. password_hash() function provides the facility to securely store the password of the user to the database.


1 Answers

Everything Kendall said, and ..

.. Skip the hashing that you perform client side in javascript. Instead, just buy a SSL certificate and post the credentials over https. Will protect you from novice eavesdroppers as well as seasoned attackers.

And besides, once you hash on the client side, that effectively becomes your password. If an eavesdropper gets hold off the hashed password, he can pass it to your server and things would just work.

like image 61
Sripathi Krishnan Avatar answered Sep 20 '22 23:09

Sripathi Krishnan