Security Basics mailing list archives
Re: Secure Login Form
From: cory () spydertechsolutions com
Date: Wed, 16 Jan 2008 14:52:21 -0700 (MST)
If it were me, I would use a database such as PostgreSQL or MySQL or something to store a username and the SHA1 hash value of the password. Then use something like the following: http://www.movable-type.co.uk/scripts/sha1.html to take the password from the webform and hash it using the SHA1 algorithm before passing it to the database for a check via a PHP file. I chose the SHA1 algorithm because MD5, while common, is fairly easy to crack if someone gets ahold of the MD5 hash. SHA1 is more robust (someone correct me if I am wrong in this). I have also heard of people taking a SHA1 hash and doing other things to it prior to storing/checking it in order to increase the level of security--this way if someone does crack one of the hash values, they will still not be able to get in based upon some other check. I wish I had more details than that--that is a subject that I have not researched very extensively. Perhaps another on the list can provide a good solution for additional processing of the hash. Thanks, Cory Swanson Director - Spyder Technology
First of all, I have very limited experience with web development and programming. That being said, I have been tasked with creating a secure login form. What I need to accomplish is the following: 1.the user registers their user name and password, and then provides an access code to prove they have bought the product and should have access to the site. 2. The user then enters their username/password into the form in order to login. 3. Upon returning to the site, the username and password should be remembered and the user should not have to enter these again. I have been looking at various ways to create the login from (php, javascript, etc.) but I am concerned about the security provided. For example, the simple examples of javascript logins expose the password by looking at the page source. Since I am a new to web development, I do not feel confident enough to create my own form. Each user needs to have their own unique username/pass combo as well. Can anyone suggest some examples or point me to a resource to get me started? Also, this site has not been built yet and this is the first thing they want done. I need some ideas for generating the access code and then keeping track of which code has been assigned to which user. I was thinking of using a random number generator to assign the codes. I am assuming this will also mean that I need a secure way of checking the database for the code and returning the data? Should https be implemented here? Thanks in advance for any advice offered. Being new to these technologies, I thought I should run everything by those more seasoned. Blake
Current thread:
- Secure Login Form Jonathan Askew JBASKEW (Jan 16)
- Re: Secure Login Form cory (Jan 16)
- Re: Secure Login Form Josh Haft (Jan 16)
- RE: Secure Login Form benoni.martin (Jan 17)
- Re: Secure Login Form Rodrigo Blanco (Jan 19)
- Re: Secure Login Form Joe Yong (Jan 21)
- <Possible follow-ups>
- Re: Secure Login Form krymson (Jan 17)
- Re: Secure Login Form MaddHatter (Jan 18)
- Re: Secure Login Form Bipin Upadhyay (Jan 19)