tags:

views:

25

answers:

1
Q: 

Algorithm for Saving a User's Credentials into a Database over HTTP

Any comments/improvements on this process?

User Table: id, username, password, salt

Storing a New User

  1. Receive the username (plaintext) from $_POST
  2. Receive the password (sha512'd using javascript) http://pajhome.org.uk/crypt/md5/sha512.html from $_POST
  3. Generate a 128 character salt (alphanumeric with symbols) on the server and store it in the salt column
  4. Prepend the password hash with the salt and save it in the password column
+2  A: 

Yes. A few things:

  • It's pointless to hash the data client-side with Javascript. Use https to transmit the data instead.
  • The point of salt is to thwart rainbow table attacks, where the attacker has precomputed the hashes of a big number of strings in order to find a reverse correspondence from hash to original string. It's pointless to prepend the salt to the hashed password, because the attacker can simply strip the salt.

The correct way is this:

  1. Send the password to the server only encrypted via https (no Javascript)
  2. Generate a long, random salt – use a good random generator (not PHP's rand...)
  3. Append the password to the salt
  4. Store a hash of the salt+password, together with the salt.

Then, to authenticate:

  1. Send the password to the server only encrypted via https
  2. Get the salt from the DB
  3. Append the password to the salt
  4. Compute the hash of the salt+password and compare with what you have in the DB
Artefacto  2010-08-18 01:11:06
How long of a salt? (number of chars). How quick should the authentication process be if you have 1,000,000+ users? (under 30 ms?)
Kirk  2010-08-18 01:24:18
@Kirk It's not so much about the length as to the entropy. If you use only letters, you'll need a bigger salt. I don't know if there's an industry standard for this, but a 16 character salt with only good random numbers and letters should be enough. As to your second question, it's impossible to answer. If there's a requirement on the latency, you should satisfy it, if not, it's arbitrary...
Artefacto  2010-08-18 01:42:08

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases