[nycphp-talk] Question about encryption
Brian Pang
bpang at bpang.com
Tue Jul 8 16:08:28 EDT 2003
When I have to auto-gen passwords, I typically base them off of some
other required information and encrypt/encode them one way or another
(and use a substring thereof) (depends if I need to be able to decrypt
them or not).
Like this, or some variation:
$passGenStr = $ID . $firstName;
$generatedPassword = substr(base64_encode($passGenStr), 3, 12);
at least this way it's (nominally) harder to figure out which part of
the base64_encoded string you've used.
Of course, somebody could figure out some way to decode them or reverse
engineer the process.
I would certainly never store them in the database without some form of
encryption/encoding (again, it depends if I need to be able to decrypt
them or not) regardless of what method I used to auto-gen the password
in the first place.
I would certainly advise against the method described in your original
email as it is far to easy to figure out.
Still, there is the issue of interception, but that's something else
entirely.
> If you really need to make your auth process virtually hack-proof, you
> should use SSL. I've never used PHP's OpenSSL functions, but you might
want
> to check into it if that type of security is warranted.
>
> The username/password scheme that has been chosen is just adding to the
> probability that unauthorized access will occur, but maybe you want to
> create a system where users can modify their own passwords, or use another
> service to authenticate against a more secure user database. For example,
> permissioning a group of users to access an FTP directory, then trying the
> connection using PHP's FTP functions against the FTP service. On NT,
this is
> nice because you don't have to maintain another user database, and
users can
> change their domain passwords whenever they want (and it would filter down
> to your app automatically).
>
> As for passing user id's around, why not use sessions? They are easier to
> work with and provide a little more security in that the user's
credentials
> aren't floating back and forth (although it doesn't address session
> hijacking).
>
> Hope it gives you some ideas.
>
> -----Original Message-----
> From: Joshua Glenn [mailto:wheelie at acedsl.com]
> Sent: Tuesday, July 08, 2003 11:52 AM
> To: NYPHP Talk
> Subject: [nycphp-talk] Question about encryption
>
>
> Hey All,
>
> I'm working on a site and the client has made the username and
password for
> members of the site a combination of their ID and lastname. I know, it's
> _______________________________________________
> talk mailing list
> talk at lists.nyphp.org
> http://lists.nyphp.org/mailman/listinfo/talk
>
>
More information about the talk
mailing list