Re: Secure Login Form

[cory () spydertechsolutions com]

If it were me, I would use a database such as PostgreSQL or MySQL or
something to store a username and the SHA1 hash value of the password.
Then use something like the following:

http://www.movable-type.co.uk/scripts/sha1.html

to take the password from the webform and hash it using the SHA1 algorithm
before passing it to the database for a check via a PHP file. I chose the
SHA1 algorithm because MD5, while common, is fairly easy to crack if
someone gets ahold of the MD5 hash. SHA1 is more robust (someone correct
me if I am wrong in this).

I have also heard of people taking a SHA1 hash and doing other things to
it prior to storing/checking it in order to increase the level of
security--this way if someone does crack one of the hash values, they will
still not be able to get in based upon some other check. I wish I had more
details than that--that is a subject that I have not researched very
extensively. Perhaps another on the list can provide a good solution for
additional processing of the hash.

Thanks,

Cory Swanson
Director - Spyder Technology

> First of all, I have very limited experience with web development and
> programming. That being said, I have been tasked with creating a secure
> login form. What I need to accomplish is the following:
>
> 1.the user registers their user name and password, and then provides an
> access code to prove they have bought the product and should have access
> to
> the site.
> 2. The user then enters their username/password into the form in order to
> login.
> 3. Upon returning to the site, the username and password should be
> remembered and the user should not have to enter these again.
>
> I have been looking at various ways to create the login from (php,
> javascript, etc.) but I am concerned about the security provided. For
> example, the simple examples of javascript logins expose the password by
> looking at the page source. Since I am a new to web development, I do not
> feel confident enough to create my own form. Each user needs to have their
> own unique username/pass combo as well. Can anyone suggest some examples
> or
> point me to a resource to get me started?
>
> Also, this site has not been built yet and this is the first thing they
> want done. I need some ideas for generating the access code and then
> keeping track of which code has been assigned to which user. I was
> thinking
> of using a random number generator to assign the codes. I am assuming this
> will also mean that I need a secure way of checking the database for the
> code and returning the data? Should https be implemented here?
>
> Thanks in advance for any advice offered. Being new to these technologies,
> I thought I should run everything by those more seasoned.
>
> Blake