I believe I have access to mcrypt, is that good or bad? I googled 'FreeBSD MD5 implementation' but just came up with a lot of links from MD5 and bruteforce password crackers. Care to provide a link?
malfist
@malfist
Best posts made by malfist
Latest posts made by malfist
-
RE: Storing passwords Passwords
-
Storing passwords Passwords
I recently discovered a serious security problem with the way I'm storing passwords in the database. I do it like this:
sha1(md5(plaintext password) + md5(salt))
And that seemed to work, however I was notified by a user today that he could just hit enter and log in, without a password. The issue was that some hashes php believed where something that they weren't, failed silently and I ended up with sha1(0) as the stored password. An empty password was one such hash that failed, so every hash that failed, and empty password would allow them in. I changed it to sha1(md5(plaintext password) . md5(salt)) so php treats it as a string and conocates them, but I'm sure there's a better way to do it.
One of my friends, who is very sercurity oriented said that even using that, any rainbow table would crack it, dispite the hash.
What do you recommened for storing passwords and checking them. I don't have access to bcrypt and other expensive hashing algorithms, but it should be secure enough with sha1 and md5. How would you all build such a system?
-
RE: Need serious help with PHP (constants and require_once)
It's good to know that I can't read, I thought that was an integral part of writing.
-
RE: Need serious help with PHP (constants and require_once)
Really now? Because I work for a messed up buisness called a univeristy and I have to deal with Windows servers running IIS and an outdated version of PHP and MySQL (3.23 anyone?) instead of stable linux servers running apache with fully updated software, it's my fault. As a student worker, I don't have the privilage to ask for the 'right tools'. If I started doing that, I'd be looking for a new job. Not everybody works for google you know.
-
RE: Need serious help with PHP (constants and require_once)
I appologize I am using substandard equipment that I have no control over. I'm glad to know that the fact that I cannot get XP Pro or IIS for development at my work place makes my code a rats nest. Sorry to offend your delicate sensibilities. Now, if you're just going to troll and not help, please go away.
-
RE: Need serious help with PHP (constants and require_once)
I'll change them all to absolute, see if that fixes anything. No, my apache isn't running linux :( My ubuntu box is at home.
-
RE: Need serious help with PHP (constants and require_once)
XP Home doesn't include IIS, only PRO, as far as I know. On topic is dealing with the problems I need help with. I agree, testing/development on Apache and deployment on IIS is a bad idea, but that's not the focus of the issue here.
-
RE: Need serious help with PHP (constants and require_once)
I don't have a license for IIS, OEM XP, no CD to install IIS from. Please, can we stay on topic?
-
RE: Need serious help with PHP (constants and require_once)
@belgariontheking said:
Why would you not develop in an environment which even remotely approximates your production environment?
Because I don't have a choice.
-
RE: Need serious help with PHP (constants and require_once)
Say I have this file called Page, and it needs the config file for the constants. It also needs files called Mysql, and Logger. Mysql and Logger also need the constants, so the also call the require_once for the constants. However, when they call it I get the warnings about them already being defined. However, if I remove their calls to that file the throw warnings about undefined constants assuming string literal.
This is the exact same code that works perfectly on Apache.