Member Avatar for andydeans

hi,

i have applied sha1 encryption to my update password page for users and it is encypting into the database fine.

however i have a script that should at login check the encrypted sha1 password in the database and login however it does not work. i am not great with php and this is a script on an existing site i am working with: the code line for the password is:

columnValues" => explode($WA_Auth_Separator,"".((isset($_POST["username"]))?$_POST["username"]:"")  ."".$WA_Auth_Separator."".WA_SHA1Encryption(((isset($_POST["userpassword"]))?$_POST["userpassword"]:""))  ."")

"
can anyone see anything wrong with this line that would help?

many thanks

  • 5 Contributors
  • 11 Replies
  • 152 Views
  • 3 Weeks Discussion Span
  • Latest Post Latest Post by andydeans
Member Avatar for sithembisophp

I am not really sure what you are trying to do, but I think you are comparing the password provided by the user (

$_POST['userpassword']

) with the sha1'ed one saved in the database.

Well, I have tried that before but with no success because even though the password can be right, those are completely different strings. They will not match unless you decrypt the one stored on the database (which I do not recommend).

What I usually do is that I sha1encrypt

$_POST['userpassword']

and then compare it to the one stored in the database. Make sure you use the same encrypting method, otherwise it will produce different results. If you could encrypt the first one, I do not think you will have a problem ecrypting the one provided by the user.

I'm not sure if I am completely of the line here, but I hope that helps.

Member Avatar for FlashCreations

Props to you for using something other than MD5.
Now on to business. The basic way to validate a password stored in a database is to use a one way encryption such as SHA1. This involves hashing the password the user provides at registration and storing it in a database. To check if login credentials are valid, simply run the given password through the same hash function and compare the hashes. If the hashes are the same, the passwords match.

The code snippet you provided is not valid, nor does it validate. Please provide a better snippet that shows your problem.

Member Avatar for andydeans

thanks i have managed to resolve this, the issue i had was i was encrypting the wrong value at registration.

i have now updated and can register the user and allow them to login securely.

i take it going with your comment sha1 is better than md5? i am trying sha1 after reading about md5 having major security flaws?

thanks

Member Avatar for andydeans

only one thing i would have like to have been able to do is email the un encrypted password?

how do you unencrypt the sha1 encryption to send the user friendly password for my forgot password page?

thanks

Member Avatar for mschroeder

In the short and simple, you don't.

sha1 is a hashing function not encryption. It is designed to only work in one direction. e.g. 'dog' => 'e49512524f47b4138d850c9d9d85972927281da0'

If you require the ability to decrypt an encrypted string then you will need to use an encryption package like openssl or mcrypt.

In your case to send a plain-text password you could store it to a variable prior to hashing it. Then you could send the unhashed string to the user.

Member Avatar for andydeans

hi,

thanks i will give this a go evstevemd, thanks also to the others.

one final thing on this, is sha1 the best form of encrypting/hashing passwords other than paying for an ssl certificate?

many thanks

Member Avatar for andydeans

just following on from my last comment, i have looked around on some other sites regarding this and would appreciate anyone who could break it down to me and i suppose other new php developers the differences of sha1, md5 and salt encryption?

in basic terms.

i have seen some say never to use hashing etc and not sure what is the most secure way to have passwords stored in the database?

many thanks

Member Avatar for mschroeder

There are a lot of very informative threads on this topic on this very forum. But I'll elaborate on my previous statement.

Hashing is not encryption. SHA1 and MD5 are hashing algorithms. You pass them data and they generate a unique hash from that data. There is no magic function that turns the hashed value back into your data. However, MD5 has proven to be an ineffective hashing algorithm for quite some time, due to collisions e.g. two unique strings that generate the same hash. There have also been breakdowns in the SHA1 algorithm to my understanding. Both of those algorithms should be avoided in my opinion in lieu of better algorithms such as sha-256, sha-512, whirlpool etc.

Salting a hash means to append or prepend (or both) some form of trivial data to make the hash more complex. So lets say our salt is 'a1b2c3d4f5' and our user chooses the password of 'test'. When you hash just the password of 'test' => (a94a8fe5ccb19ba61c4c0873d391e987982fbbd3), you've created a hash that probably exists in a rainbow table (a database of strings and their hashes) because the hashed string is so common. If you append or prepend the salt to it. The string that gets hashed is now: 'a1b2c3d4f5testa1b2c3d4f5' => (c297373704eebdd3154872d23a7eb1a27f751e99). So our 4 character string is now a 24 character string of mostly gibberish. Essentially if your database was compromised the theory is by salting your hash with nonsense you've created a more secure hash that an attacker won't be able to reverse with a rainbow table. To take this another step further often the hash is then hashed x more times. Keep in mind hashing passwords does not prevent someone from attacking your site's frontend.

When you talk about encrypting a string, it means you're running it through an algorithm that is designed to be reversible. In php this would be done with mcrypt or openssl. Mcrypt uses a Symetric-key (http://en.wikipedia.org/wiki/Symmetric-key_algorithm) algorithm, the same key for encryption and decryption. Openssl provides us with an asymetric-key algorithm (http://en.wikipedia.org/wiki/Public-key_cryptography) among many other options. OpenSSL does not require one to purchase an SSL certificate as you can generate your own private/public certificates directly with openSSL.

SSL certificates themselves have no bearing on whether you should be hashing or encrypting your passwords. They simply provide a secure encrypted channel of communication between the user's browser and the server.

In my opinion passwords should always be hashed. There is no reason to have a plain-text password stored in your database. That is only asking for an attacker to compromise your site and steal all of your user's passwords.

commented: brilliant +2
Member Avatar for Stefano Mtangoo

hi,

one final thing on this, is sha1 the best form of encrypting/hashing passwords other than paying for an ssl certificate?

Have you heard of salting?
MD5/SHA1 with salting should be okay. In many cases people just use MD5 hashing algorithm

Member Avatar for andydeans

mschroeder,

what can i say that was a great post reply.

thanks so much for taking the time. i appreciate it.

i will look more into open ssl.

so really to have a secure site without costing too much, open ssl, hashing passwords and we should be sorted then?

i will look at other sha version you mentioned about implimenting.

many thanks again

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.