[FIX] save passwords encrypted

UND3RW0RLD · 12/11/2013, 14:52

Hey because of jds post, I want all P-Server owner to check their signup and login pages. Passwords have to be saved encryped!!

If you save them as plain text put this in (you need to modify this to your cms)

First of all the SQL-Queries

Code:

ALTER TABLE `users` DROP COLUMN `password`;
ALTER TABLE `users` ADD `passhash` varchar(32);
ALTER TABLE `users` ADD `secret` tinyblob;

dosignup-part

PHP Code:


			
$wantpassword = $_POST["password"];
$secret = mksecret();
$wantpasshash = md5($secret . $wantpassword . $secret);

modify the the INSERT INTO users query,
delete password. replace it with passhash and secret to make it loke like that

Code:

INSERT INTO users (username, passhash, secret, ... VALUES (" .
		implode(",", array_map("sqlesc", array($wantusername, $wantpasshash, $secret, ...

dologin-part

PHP Code:


			
 // change $row with your var
$password = $_POST["password"];
if ($row["passhash"] != md5($row["secret"] . $password . $row["secret"]))
    die();

global_included.php

PHP Code:


			
function mksecret($len = 20)
{
    $ret = "";
    for ($i = 0; $i < $len; $i++)
    $ret .= chr(mt_rand(0, 255));
    return $ret;
}

Sήøwy · 12/11/2013, 14:57

I'm already having my own encryption for login data, but thanks for your time.

Luffa · 12/11/2013, 15:08

Nice that you took your time to make something for the newbies to use.
But as i can see and think, is that you are comparing passwords after the sql query call, isn't that harmfull to the system?

Anyways thanks, and as snowy i'm using my own system for encryption, usin mcrypt and random salts.

Best Regards RQ

UND3RW0RLD · 12/11/2013, 15:20

I think this is important for our own security. They handle with userinformations (email, password) and we need to trust the serveradmins to keep it safe.

To compare the logindata it's required to get sth from the database. xD (Yes there are possibilities to outsource the usermanagement-part to a filebased-database, but if someone want sth like that, they need to PN me and give me money.)

Luffa · 12/11/2013, 15:40

Quote:

Originally Posted by ǝnd1ǝss-ɯonǝʎ

To compare the logindata it's required to get sth from the database. xD (Yes there are possibilities to outsource the usermanagement-part to a filebased-database, but if someone want sth like that, they need to PN me and give me money.)

Here is something i made when i was in a company-practice about 2 years ago, but it is using a static salt(a bit old script but it should work).
It's using PDO (i love pdo<3).

Login progress:

PHP Code:


			
$cypher = "CryptSaltKey";
 $query = $db->prepare("SELECT CAST(AES_DECRYPT(password, :cypher) AS CHAR) AS password, id, name, company, address, zip, city, email, dealer_type, discount_id, forceupdate FROM customers WHERE CAST(AES_DECRYPT(password, :cypher) AS CHAR) = :pass && email = :email");
$query->bindParam(":cypher",$cypher);
$query->bindParam(":email",$email);
$query->bindParam(":pass",$hpass);
       
       if($query->execute())
{

}

Registration Encrypt Using MCrypt

PHP Code:


			
<?php

class Encryption {

protected $key = "CryptSaltKey"; 
    protected $td;

 private function _encrypt($plaintext) {
        $plaintext_utf8 = $plaintext;
        $pad_len = 16 - (strlen($plaintext_utf8) % 16);
        $plaintext_utf8 = str_pad($plaintext_utf8, (16 * (floor(strlen($plaintext_utf8) / 16) + 1)), chr($pad_len));
        mt_srand();
        $this->td = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', MCRYPT_MODE_ECB, '');
        @mcrypt_generic_init($this->td, $this->key, false);
        $ciphertext = mcrypt_generic($this->td, $plaintext_utf8);
        mcrypt_generic_deinit($this->td);
        return $ciphertext;
        }
}
?>

Best Regards RQ