PHP/MySQL Secure Login & Sessions

Question

I have a login service to my current website and what I was wondering is - is there any particular method you could call the MOST Secure?

Allow me to explain my system a little better:

I currently have a PHP MySQL database with a users table. The username and password are both stored as VARCHAR (not the best for passwords I know).

On the sign up form side, I regulate the choice of passwords and usernames by only allowing a-Z 0-9 entry and limit the number of characters. On the login form side, I stop attacks by using mysql_real_escape_string and I use POST to an iFrame instead of AJAX.

I feel I am doing what I can to prevent attacks from the Form side, but not from the database side. I know you can change the type of password storage to encrypt upon entry to the database, but what I don't understand is how I would then query this encrypted string.

Given what I've described, what would you advise in terms of added security and why? What are your chosen methods to prevent hacking and attacks? Can you see any glaring security holes in what I've described? Perhaps most importantly of all, what could I do to correct these, given that I've not been in the web-development game long and don't have much experience?

(Bear in mind that I'm not creating a system to house confidential or inflammatory data)

Answer 1

First of all, don't store plain text passwords in your database. So, when registering a new user insert their password as a hash. MD5 is most commonly used for this. I suggest using a salt with this. So for storing:

$password = md5($yoursalt . $_POST['password']);

Now when the user wants to login, you have their password again in your post. Now make the same hash as before and search for this hash in the database (with their username). This way you don't store their actual passwords.

Answer 2

Hashing the password to MD5 or SHA1 is an important part of web security. The way to then match the passwords is to first retrieve the hashed password from the DB using the supplied username, hash the user supplied password and then match the two hashes. Since MD5 and SHA1 are one way hashes is does mean that you cannot retrieve the current password if a user has lost it. A new password needs to be recreated. You can get around this by using the PHPs mcrypt() funtions.

You should also allow special characters in passwords. This just adds to complexity in brute force attacks.

You can also lock an account for a certain period after 3 incorrect tries and even go so far as to lock an IP address after 10 tries. Although the later falls under the category of 'tar pits'. Just makes things a little bit more difficult for hackers.

Answer 3

I always use a user specific salt when generating passwords, so my 'users' table has two fields 'encrypted_salt' and 'password'

the top and bottom of it is that I sha1(encrypted_salt + 'password');

When generating the encrypted_salt I would use sha1(unqid(true)); which generates almost a 100% unique salt as it uses time to milliseconds with extra entropy (salt) of its own. The likelihood of getting a duplicated is virtually 0.

So:

$salt = sha1(unqid(true));
$password = sha1($_POST['password']);

store in the DB as:

$pw = sha1($salt.$password); or sha1($password.$salt);

It doesnt really matter.

The beauty of SHA1 is that it will always generate a 40 character string. The more you can salt the string the better, especially if you can generate a unique salt for each password.

Answer 4

As far as your SQL goes, don't use a string-munging function like mysql_real_escape_string that can still allow injections attacks to occur under some circumstances. Use parameterised queries, thus ensuring that the database treats all user-supplied string as data, under ALL circumstances, and not possibly as SQL code fragments.

The MySQLi and PDO libraries in PHP both supports parameterised queries.