473,324 Members | 2,178 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,324 software developers and data experts.

Password hashing

4
Hi
I make simple script and ive made admin panel. Login and password are in config.php file. Im using form to log in. And my question is: Is security of this code high or low or medium? :)

In config.php i have sth like this:
[PHP]$login = 'admin'; // Login to admin panel (change it)
$password = sha1(md5('test')); // Admin password (change it)[/PHP]

And in other file (using to log in):
[PHP]if (($login == $_POST["login"]) && ($password == sha1(md5($_POST["password"])))) {
$_SESSION['admin']='true';[/PHP]
Is it save or not? Firstly i had no-hashed password in config.php and i could easly use include to read it.
now of course i can use include and echo $password but i will only see hashed password.
Mar 23 '08 #1
6 1559
ronverdonk
4,258 Expert 4TB
When you store the password in the config file, make sure you store it in a hashed format and not as you showed. Because your way, anyone who can reach config.php know the password.

Another thing is to test the strength of a password. TEST is a very weak password and can be guessed easily.

Then, if you also store the config.php outside the document root, you are moderately safe.

Ronald
Mar 23 '08 #2
Markus
6,050 Expert 4TB
Hi
I make simple script and ive made admin panel. Login and password are in config.php file. Im using form to log in. And my question is: Is security of this code high or low or medium? :)

In config.php i have sth like this:
[PHP]$login = 'admin'; // Login to admin panel (change it)
$password = sha1(md5('test')); // Admin password (change it)[/PHP]

And in other file (using to log in):
[PHP]if (($login == $_POST["login"]) && ($password == sha1(md5($_POST["password"])))) {
$_SESSION['admin']='true';[/PHP]
Is it save or not? Firstly i had no-hashed password in config.php and i could easly use include to read it.
now of course i can use include and echo $password but i will only see hashed password.
As i always say, using a database makes things so much easier!

Regards, markus.
Mar 23 '08 #3
kmd
4
Yes your right.
But im the only one user, so in my opinion using database is making everything more diffcult. I have to create tables, than file to register user, and than i have to keep one user in one table in database. Its like wasting database space :) And now im looking for some save method to make admin panel based on config.php file. If i will not find any, i will add user registration to my script :)
Mar 23 '08 #4
ronverdonk
4,258 Expert 4TB
Database or not, that is trivial (in this case). But you are most vulnerable by these 2 statements[php]$login = 'admin'; // Login to admin panel (change it)
$password = sha1(md5('test')); // Admin password (change it)[/php]Here your userid and password are for grabs (so to speak).

So hash/encode these values and store them in your config file in a hashed string.

Ronald
Mar 23 '08 #5
kmd
4
Ok
thx very much. Its really usefull. Now i know what i have to do to imncrease security.
But i have one more question.
Why in many popular scripts (blogs, CMSs) informations for database (like host, password, database name, and username) are in config.php and they are not hashed?
Does it mean, that they are not save? Couse if login and passowrd in my case are for grab so data for database conect is up for grab also, isn it?
Mar 23 '08 #6
ronverdonk
4,258 Expert 4TB
Usually you are either protecting the config folder using .htaccess or in a folder that is outside the document root.

Ronald
Mar 24 '08 #7

Sign in to post your reply or Sign up for a free account.

Similar topics

11
by: John Victor | last post by:
In my mysql database, I've stored all the passwords using the PASSWORD() function. Now I'm running a test and need to compare the password in my php document to that saved in the database. I used...
3
by: arktikturtle | last post by:
Hi! I'm looking for a way to validate a password within PL/SQL. I want to write CREATE PROCEDURE change_password(old_password IN VARCHAR2) IS BEGIN -- check if old_password is correct... but...
10
by: Max | last post by:
Hello all, I am trying to protect a page within my site with a JS password scheme. Now I know JS can be quite easily "circumvented", but I came by a code below. My question is: 1. Is there...
4
by: chuy | last post by:
Is there a way to recover a lost password in Mysql 4.1. I have seen many articles and howto's on how to kill the Mysql process and then restart using skip grant tables option. I am not trying to...
4
by: Guadala Harry | last post by:
Looking for recommendations for *credible* information on implementing password hashing and salting. I did my own search and came up with a bunch of somewhat contradictory often...
21
by: solomon_13000 | last post by:
I am using ms access database and asp 3.0 as my front end. In my database there is a table called account and a field called password. How do I protect the password stored in the database.
9
by: neokosmos | last post by:
This may only be tangentially related to Python, but since I am coding a password authentication system in Python, I thought I would ask here. In Linux (and presumably other *NIX systems that...
5
by: John | last post by:
Hi I am trying to set a new password using the following code; Dim u As MembershipUser = Membership.GetUser(UserName) Dim OldPassword As String OldPassword = u.GetPassword If...
11
by: cooltoriz | last post by:
Hello there, I just found that the compiled code won't hide the string variables so that I can see them by opening the execuable using Notepad. I have couple applications that have password...
5
by: =?Utf-8?B?Sm9l?= | last post by:
I need to store a password for use later in my web app and I would like to use FormsAuthentication.HashPasswordForStoringInConfigFile. The question is, once it's hashed and stored, do I need to...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.