i was searching about simple hashing with passwords in login form. i came across this http://tinsology.net/2009/06/creating-a-secure-login-system-the-right-way/. here he hashes the password, creates a salt, and then again hashes the password & salt. I am building a login form myself, this is abc.php
<form name="register" action="register.php" method="post">
Username: <input type="text" name="username" maxlength="30" />
Password: <input type="password" name="pass1" />
Password Again: <input type="password" name="pass2" />
<input type="submit" value="Register" />
</form>
after submitting goes to, register.php, it has
$u=$_REQUEST['username'];
$p=$_REQUEST['pass1'];
//salt create function
//hashing code
//final hash password
and then submitting $u & 'final password' in the database.
Q: my question is when submitting the form from abc.php, does the password goes as text?
and if yes, then there is a chance of someone reading it, and then what's the need of hashing passwords, because even when i login, i will submit the page, and retrieve the pass and username from $_REQUEST on maybe another page, where it will be checked, it travelled as text, and thus can be read by someone.
The password is now sent in clear text. There is a workaround without the use of HTTPS. You can hash the password before it is sent over the HTTP socket with javascript. There are several tutorials out there. This isn't as good as using https but still better than nothing.
Your password is sent via HTTP Post or HTTP Get, depends on method in your form. HTTP Post or HTTP Get is sent via socket stream and someone can sniff your data along the way, your network admin, your ISP provider, etc.
If you want to create secure login, your server must support HTTPS. If you sent via HTTPS, no one can read your data.
The "secure" part of that article clearly relates to the storage of the password. Someone could intercept the password if the network on the client or the server side is not secure (i.e. someone with a packet sniffer on the network).
If this is a concern, you can mitigate that risk by using SSL, which will encrypt the conversation between client and server.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With