Menu
I regularly use a standard form to send login information through the HTTP POST method and then validate it using php to check if the details are correct. I use an md5 hash on the passwords (and sometimes usernames) to give some degree of security, so I'm not storing a raw password in my code in case it's viewed by an unauthorised person, or something like that.
I'm pretty sure that I've just made anyone with even a vague understanding of security groan or at least sigh in exasperation.
I've recently been working on a forum which has a MySQL database of users and passwords, the passwords are stored as md5 hashes, but I worry that when sending the login form via HTTP POST the possibility of the information being intercepted is there. I'm aware of the possibilities of MySQL injection attacks and think that I'm safe from any simple attacks.
I'm not a security expert when it comes to this kinda stuff, but I'd like to limit the possibilities of passwords being intercepted when sent over HTTP.
It's not a big site, so I'm not overly worried about attacks and HTTPS is not really a possibility, so I'm looking for advice on standard practices I should be following when using this method of sending login information.
Cheers
905
You would need to do a client-side hash of the password based on a challenge salt provided by the server. This challenge should be different for each request.
This way, even if the password hash is intercepted, it would not be usable for anything useful, since the next authentication would require a different hash.
Anyway, HTTPS should be the right and safe way.
66
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
