Re: Safe / Secure Login Script

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



These are not PHP specific suggestions, but I see two big problems:

> 5.)     Password is then encrypted using base64_encode() 6.)     

You've confused encryption and encoding. Base64 encoding is trivial to decode, and fairly 
obvious to spot as well. All this achieves is that someone can't accidentally - before they 
avert their eyes - read the password while doing a "view source". But anyone who wants it 
can get it if they're given the base64 encoded representation. I wouldn't use this method - or 
a website that did.

> 8.)     If No username is found, Message is sent to end user stating
> username does not exist. 

Don't tell them whether it was the username or the password that was wrong. Doing so lets 
a hacker decompose a complex problem into two simpler problems. With your method, I 
would first keep trying until you confirm that I've guessed a valid username, then I can go 
about guessing the password. If I don't know which is wrong, the number of possibilities is 
increased geometrically.  

Mike Morris
The Music Place
1617 Willowhurst Avenue
San Jose, CA 95125
(408) 445-ARTS (2787)
------------------------------------
    Your Free Historical Quote:
        Finally, it is my most fervent prayer to that Almighty Being before whom I now 
        stand, and who has kept us in His hands from the infancy of our Republic to the 
        present day, that He will so overrule all my intentions and actions and inspire the
        hearts of my fellow-citizens that we may be preserved from dangers of all kinds 
        and continue forever a united and happy people.
                    - Andrew Jackson, Second Inaugural Address, March 4, 1833
------------------------------------

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux