-----------------------------------

pyrnight

Tue Dec 18, 2007 10:25 pm


How to really make a secure login.

-----------------------------------

This is a secure php login based on using a salt to add security to hashes. Of course sha1 would be a algorithm to use here, but for simplicity I will leave it out.

How this works is like this:

When the user registers for the page, they are given a long, and randomly generated "Salt", that is unique to their username. The salt is then added to the password, then all that is hashed. If your password was ABC123, a bruteforcer will get that pretty easily if your md5 hash was discovered. Now, if your hash was ABC1239ga8932ti9hgga9831h8, it would probably take a few million years to bruteforce that hash. Many sites use this technique, but the problem is, if you "salt" (added part of the password which is then hashed) is the same for all your users, then all it takes is for the attacker to find out your salt, and then he instantly has all of your users.

Having a random salt unique to each user would make cracking a large list of usernames and passwords almost total impossible, and not worth the effort to even try. I could almost give away passwords generated by this, and because they don't know each individual salt, they would never find the plaintext password.

I hope this all makes sense. If you are unclear about something just ask :D


Register.php

$rUser = strip_tags($_REQUEST



Login.php