Picking an Auth Library

[eluser]TheFuzzy0ne[/eluser]
I meant for generating a rainbow table.

[eluser]phpserver[/eluser]
Interesting discussion.I have this project to build a web application to be used by a cell phone operator and a bank.I have done my passwords in phppass.However this particular bank insists checking the passwords each and everyday so i have a way of doing that.Could anybody suggest to me what their problem is anyway?.Is phppass not enough?

[eluser]Dam1an[/eluser]
WHat do you mean checking the passwords each and every day?
I'm assuming you don't intend on having a remember me option, so not sure what else it could mean :-S

[eluser]TheFuzzy0ne[/eluser]
I assume they want to check the passwords to make sure someone doesn't have "abc" as a password or something? If that's the case, the check should be done when the user chooses the password.

[eluser]phpserver[/eluser]
[quote author="Dam1an" date="1242510357"]WHat do you mean checking the passwords each and every day?
I'm assuming you don't intend on having a remember me option, so not sure what else it could mean :-S[/quote]

The it department wants to see the passwords of active accounts for the web based application daily.I dont have a remember me button on the app.The thing is already good with ssl i deem but they still insist.From what i know passwords dont change.

[eluser]theshiftexchange[/eluser]
[quote author="phpserver" date="1242511537"][quote author="Dam1an" date="1242510357"]WHat do you mean checking the passwords each and every day?
I'm assuming you don't intend on having a remember me option, so not sure what else it could mean :-S[/quote]

The it department wants to see the passwords of active accounts for the web based application daily.I dont have a remember me button on the app.The thing is already good with ssl i deem but they still insist.From what i know passwords dont change.[/quote]

huh??? let me see if I understand this:

The bank wants you to send a plain text file (email/printout/whatever) which will show the entire list of usernames and passwords each day, so some random guy in accounting can check to see if a password has changed?

I can think of about 200 reasons why that is unbelievable bad - but I'll list the top 3:

1. It will force you to make your passwords backword-compatiable - i..e you cant hash them, since hash is a one way process. Anything you can reverse, so can a hacker
2. Having passwords in any plain text format (printout/email/file) is just silly
3. Giving a list of passwords to any person, even the CEO of a company, is also silly - it just opens up all sorts of social-engineering issues.


I'd like to add a general comment here: there is a reason why security on 'basic' sites is such a security risk, is not for the site itself, but for other sites. It is well known that people use the same username/password combination on multiple sites. A well documented hacker's technique to steal online game passwords for World of Warcraft, EveOnline etc - is to hack a 3rd party forum site, and use those username/passwords of the forum and try them on the game. More often than not, the username/password combination of the forum is the same as the online game - giving the hacker access.

This same principle applies to the bank scenario. Giving someone a list of username/passwords is inappriopriate and wrong.

[eluser]Dregond Rahl[/eluser]
I agree with theshift, its ridiculous. If you need to do a check, why not keep a table or just set a query to find all records that have the password field updated today.

[eluser]phpserver[/eluser]
I know now.The bank particularly wants to monitor any undignified changes in passwords even if the user is a registered and confirmed user.If a user changes the password thrice,he/she is kicked out and his account reevaluated,its not a technical thing really,just a simple way of identifying jokers and the real customers i have now learned.

[eluser]Dregond Rahl[/eluser]
iv been checking how different libraries are preventing against brute attacks, i found that although using a DB to track login attempts is good, it seems abit unnecessary, also using Ci sessions, what if smart bots can play around with the cookie value. Why not use both a PHP sessions and CI sessions to monitor login attempts and compare them incase its an attacks? any disadvantages ?

Also from what iv seen "The Authentication Library" is one of the best, but lacking alot of features. Security wise its good and coding is well done, a few mistakes here and there but not too much of an inconvenience. if it had more group controls and such it would be one of the best. Also have to make the admin account un-deletable.

[eluser]phpserver[/eluser]
[quote author="Dregond Rahl" date="1242548641"]I agree with theshift, its ridiculous. If you need to do a check, why not keep a table or just set a query to find all records that have the password field updated today.[/quote]

That is done via a web interface.I have also included a small calendar to track what changes are made on a specific day.So each time a pass is changed,its reported.The system generates a password for you on sign up.This password is considered to be strong and fool proof.So contemplating a second and a third change of heart is a disturbing scenario for anyone in the industry,besides the pass will not be generated on the second and third attempt,you will have to do it.Studies show that most users will use a pass that they will easily remember but not necessarily clever.