views:

83

answers:

2

Hi,

I am very interested to find out how to keep php passwords secure.

Main question is: How do I post the password as a secured string from the login form?

I have been checking how other sites do this e.g. facebook. When I log in to facebook I dont see my password posted at all, it just seems like a long encrypted string.

How do I convert the password field to an encrypted string before posting? Is this done with ajax?

Cheers Ke

+4  A: 

Check the HTTPS protocol

Hypertext Transfer Protocol Secure (HTTPS) is a combination of the Hypertext Transfer Protocol with the SSL/TLS protocol to provide encryption and secure identification of the server. HTTPS connections are often used for payment transactions on the World Wide Web and for sensitive transactions in corporate information systems. HTTPS should not be confused with Secure HTTP (S-HTTP) specified in RFC 2660.

If you cannot enable HTTPS for your site and don't want to post cleartext passwords (for obvious security reasons), consider using Challenge-Response Authentication.

Just google for various PHP/Javascript implementations and pick one you like.

Gordon
This is what Facebook uses -- Facebook logs you in over SSL, and then redirects you back to plain old HTTP, with a session to keep you logged in.
Josh
+1  A: 

If you can't use a secure connection, you could encrypt the password prior to sending.

JavaScript-pseudocode:

onSubmit:
  PASSWORDFIELD.value = md5(PASSWORDFIELD.value)

You'll then have an MD5-encrypted password on the client-side which is then send to your server (no need to use AJAX). On the server-side you'd compare it with the encrypted password stored in a database to check whether the user is authorized.

Select0r