Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Libraries & Helpers Login Controller/Model
Login Controller/Model
  • El Forum
    Guest
  •  
#4
11-28-2007, 02:53 AM

[eluser]tonanbarbarian[/eluser]
You should always store passwords hashed
either md5 or some other function like sha1

If the password is stored in plain text then any SQL injection attack could be used to retrieve the password if you are not careful.

Also you might want to salt the password before you store it, and check it. Salting also helps with other exploits.
Some hackers will use an SQL injection attack to get the password hash, and then they will use online tools to see if they can determine a valid password that matches the hash, or they will try a brute force system to look for valid plain text that matches the hash.

If you are not aware there could theoretically be multiple strings that match any given hash.
The MD5 hash of the letter 'a' => 0cc175b9c0f1b6a831c399e269772661 could also be the same hash as the entire works of Willian Shakespear. It probably isnt but it is possible.

To salt the password you have a config option that is the salt string.
You then add the salt to the plain text before you encrypt
i.e.

$hash = md5($this->config->item('password_salt').$password);


Messages In This Thread
Login Controller/Model - by El Forum - 11-27-2007, 08:14 PM
Login Controller/Model - by El Forum - 11-28-2007, 12:29 AM
Login Controller/Model - by El Forum - 11-28-2007, 01:43 AM
Login Controller/Model - by El Forum - 11-28-2007, 02:53 AM
Login Controller/Model - by El Forum - 11-28-2007, 03:21 AM
Login Controller/Model - by El Forum - 11-28-2007, 06:14 PM
Login Controller/Model - by El Forum - 11-28-2007, 06:23 PM
Login Controller/Model - by El Forum - 11-28-2007, 09:21 PM
Login Controller/Model - by El Forum - 11-28-2007, 10:53 PM
Login Controller/Model - by El Forum - 11-30-2007, 08:05 AM



Theme © iAndrew 2016 - Forum software by © MyBB