i have to create a login module (The question is not language specific) but i am not sure how will i validate the user. Where and how will i store the passwords. Will i have to encrypt and decrypt my passwords and if yes what are the best suggested way to do them. Overall i need to know what all things i need to take care of for developing a login module where a user can login securely to access my site.
A:
Yes.Sure you need to encrypt users passwords.Because most of the users using the same password almost all sites.At that time they are not want to show the passwords to admin.And another reason is most of the time the site DB may be accessed not only by admin.Some other technical persons in the organization.So it is better to encrypt the password.SHA1 is the best way to make the encryption.
Where and how will i store the passwords.
I am not sure what you mean by this.Every one use the database for it like phpmyadmin.
vinothkumar
2010-10-23 09:38:27
+3
A:
You don't need to decrypt your passwords in order to validate them, just one way encryption works fine for this. The idea is that when a user enters a password, you encrypt it the same way (using the same algorithm and "salt") and then compare with the encrypted one stored in your database. If they are equal, with a great probability it means it's the same original password. Thus you prevent anyone - the adminstrator or any attacker - from knowing the original passwords users use on your web site.
As for the rest, it's very simple, you have a table in your database which contains user logins, encrypted passwords, and possibly some profile information as well (full name, etc).
I usually use the following function to hash user passwords:
$password_hash = sha1(MY_SALT_1 . $login_name . MY_SALT_2 .
$password . MY_SALT_3);
where MY_SALT_* are arbitrary predefined strings, could be e.g. 'the dark', 'side of', 'the moon' (or actually the less related - the better).
mojuba
2010-10-23 09:54:16
@mojuba sorry for being completely ignorant about this but lets say user entered password the form gets submitted and i recieve the password from request params. Now as per you i should encrypt them and compare it with the password in db right? or is it more than that.
sushil bharwani
2010-10-23 10:10:06
First you take the login name and look it up in the database. Once you have found the row you need to make sure the user entered the correct password. This is where you take the password you received from the form, hash it and compare to the one stored in the database. If they are euqal, it means the user enetered the same password as when he/she registered with your web site. Obviously, when a user first registers with your web site you need to hash his/her password the same way.
mojuba
2010-10-23 10:14:23
@mojuba so while passwords travells from browser to server when user is trying to login its not encrypted is it secure. Please dont mind if it sounds stupid.
sushil bharwani
2010-10-23 10:39:12
Form data travels from the browser to the server unencrypted, unless you're using HTTPS. Now, you don't want to hash passwords in the browser (using JavaScript) because in this case you'd give away your hashing secrets, "salt" strings that is. So hashing should be done on the server anyway, but for improved security you probably want at least your login page work via HTTPS: this is what most of the web sites do. But leave it for a later time, first implement everything on the server's side, as switching to HTTPS is a separate and unrelated issue.
mojuba
2010-10-23 10:48:38