Mar 3 2008

Hack the Password !!!

Hack the Password

Can you recheck your first php program which you have done with database backend support. Is there any password storing field in that ?.

If so you might saved your password as its plain text format without any encryption or hashing , right ? If not, you are very genius programmer by birth. What would happen if your database is leaked or somebody hacked your database, after you hosted your website and a lots of user registered or submitted their account with password. You are trapped. The hacker can access the user account by acquiring the password (saved without any encryption). The user can sue you for publishing his password open. So beware of this password saving while doing big project which is being hosted for a huge public usage.

Then what are the mechanism for saving password in database ?

One is you can save password after digesting or hashing , and and while rechecking the account or login you can compared the hash of password entered with the password stored in database. For that in php you can use this function:

<?php $hash_password = sha1($password); ?>

Is this method all enough for full security. No , Never. For example, if you already know somebody’s password, say Sanjay’s password is : access, and you got the database and you will get the hash encoded string of the password: access. Suppose “XYZ123#@!” is the hash password got from database. Then you can reverse compare whether there any other user having hash text with “XYZ123#@!”, and thus you can get the password of that particular user. Hacked Again !!!

How to avoid this. Yes solution is Salting. Add some salt(random string) to current password and hash the whole password and save in database. Remember to save the salt value too in another field of the table , for rechecking the account login. Then for same password say”accesss”, you will get different hash digests. Thus the reverse caparison from know password can be avoided.

<?php
$salt = rand(1000,99999);
$hash_password = sha1($password . $salt ); ?>

Is this all enough for full security. Need not to think about the same salt for same password while creating random salt value. The probability for that is .00000….followed by 1000000 zeros …1 . Means Never.

But we are not taking risk. Add some more information to the password before hashing it. Generate a global constant string that only know to the programmer say : &555$34E$ and call it Global pattern . Append this string also with password+salt string before hashing. This will create more secured digest for your password. Remember , never forgot or miss this Global pattern, otherwise you can never check the login password later. (And it is not like the salt, the value of salt is there in database table) .

<?php $hash_password = sha1($password . $salt . auth::GlobalPattern()); ?>

Enough … No one can hack your password now, even though he get your database. Okay .

(Saving encrypted password also helps to avoid sql injection)

Okay, enjoy programming.

Your’s Sajith

TAGS:

7 Comments on this post

Trackbacks

  1. Binny V A said:

    Could you include the login code as well - I am not sure how to check the password with a random salt. You will need the same salt when you are authenticating.

    And why are you naming the variable $md5_password? You are using sha1 - so it should be called $sha1_password.

    March 3rd, 2008 at 8:45 pm
  2. Sajith M.R said:

    Hi Binny,
    $md5_password was a mistake happened while copy-pasting . I edited that in article now. And about the checking in login, see below.

    The salt is created by random, but you have to save this salt in another filed into your database table (that i mentioned in this article). So when login check, what you have to do is:
    1) Get the saved salt from database table. (Select salt from table where username = ‘Sanjay’);

    2) Recreate the hash from user entered password . say $password

    3) Calculate the hash digest from the former formula.
    < ?php $hash_password = sha1($password . $salt . auth::GlobalPattern()); ?>

    4) Get the saved hash say $saved_hash from table (Select password from table where user=’Sanjay’);

    5) Compare both. $hash_password and $saved_hash

    6) If both are equal login, else invalid password.

    Thanks
    Syth

    March 4th, 2008 at 12:36 am
  3. Binny V A said:

    Great! Thanks for clearing that up

    March 4th, 2008 at 2:55 pm
  4. Babu Syed said:

    like the window showing the visitor’s location in map. how can i get it for my page?
    BS at psbabusyed@gmail.com

    March 19th, 2008 at 5:55 pm
  5. peeto said:

    select u.user from table as u where u.password=sha1(concat(’access’, u.salt, ‘hackedglobalpattern’));

    May 23rd, 2008 at 6:10 am
  6. Ford said:

    hi. I am a hacker. I can get you an aol,yahoo,myspace,facebook,gmail…etc password. I do charge a fee to get a password though. Once i do get password i’ll show you proof i have it. Are you interested? E-mail me at Fordf202006@yahoo.com

    August 19th, 2008 at 4:47 am
  7. Chetan said:

    Currently databases are the most targeted objects by hackers, it is really important to keep them safe.

    November 30th, 2008 at 4:52 pm

LEAVE A COMMENT

Subscribe Form

Subscribe to Blog

Sponsors

    Itslife Online
    Advt on sajithmr.com
    Advt on sajithmr.com
    Advt on sajithmr.com

Categories

Recent Comments

  • sexasion: Best of the Best sexypicturess.blogspot.com
  • memo ezzo: live sex hot video
  • muhammadashraf44: i am ashraf from karachi i have only one girl in sex and one night plzz
  • Arun Basil Lal: Dude, The comments to this post are ever flowing in, I am gonna post some hot pics on my blog too.....
  • badar: plz send me the hot pic

Blogroll

Recent Readers

JOIN MY COMMUNITY!

Recent Posts