views:

173

answers:

2

I regularly use a standard form to send login information through the HTTP POST method and then validate it using php to check if the details are correct. I use an md5 hash on the passwords (and sometimes usernames) to give some degree of security, so I'm not storing a raw password in my code in case it's viewed by an unauthorised person, or something like that.

I'm pretty sure that I've just made anyone with even a vague understanding of security groan or at least sign in exasperation.

I've recently been working on a forum which has a MySQL database of users and passwords, the passwords are stored as md5 hashes, but I worry that when sending the login form via HTTP POST the possibility of the information being intercepted is there. I'm aware of the possibilities of MySQL injection attacks and think that I'm safe from any simple attacks.

I'm not a security expert when it comes to this kinda stuff, but I'd like to limit the possibilities of passwords being intercepted when sent over HTTP.

It's not a big site, so I'm not overly worried about attacks and HTTPS is not really a possibility, so I'm looking for advice on standard practices I should be following when using this method of sending login information.

Cheers

+5  A: 

You would need to do a client-side hash of the password based on a challenge salt provided by the server. This challenge should be different for each request.

This way, even if the password hash is intercepted, it would not be usable for anything useful, since the next authentication would require a different hash.

Anyway, HTTPS should be the right and safe way.

Patonza
what's the best hasher (if that's even a term) for doing this using php? and what's the best way to hash an input before sending it?I'd assume, though could be wrong, that I'd want use javascript to take the users input and hash it before submitting the form, but if javascript is turned off this wouldn't work.
andy-score
I usually stick to standard algorithms, for both security and compatibily. PHP has a sha1() function which is fine for most uses. You obviously need some clientside code to do that, be it javascript, an applet, a browser plugin, etc. I'd go for JS. You could always provide a less secure, scriptless login form.
Patonza
A: 

A basic suggestion would be: don't trust anyone.

So, test your POSTed data for SQL injection, for Javascript in your text fields, and avoid plain passwords stored in your database.

Rubens Farias
"don't trust anyone." - I never do :DThanks for the tips.
andy-score