Login Controller/Model |
[eluser]wiredesignz[/eluser]
Session library must be autoloaded. Code: <?php if (!defined('BASEPATH')) exit('No direct script access allowed'); Code: <?php if (!defined('BASEPATH')) exit('No direct script access allowed'); Code: <?php if (!defined('BASEPATH')) exit('No direct script access allowed'); Any thoughts?
[eluser]Michael Wales[/eluser]
You are storing passwords in plain-text. :bug:
[eluser]wiredesignz[/eluser]
Nice catch. Yes I am, what are the potential problems?
[eluser]tonanbarbarian[/eluser]
You should always store passwords hashed either md5 or some other function like sha1 If the password is stored in plain text then any SQL injection attack could be used to retrieve the password if you are not careful. Also you might want to salt the password before you store it, and check it. Salting also helps with other exploits. Some hackers will use an SQL injection attack to get the password hash, and then they will use online tools to see if they can determine a valid password that matches the hash, or they will try a brute force system to look for valid plain text that matches the hash. If you are not aware there could theoretically be multiple strings that match any given hash. The MD5 hash of the letter 'a' => 0cc175b9c0f1b6a831c399e269772661 could also be the same hash as the entire works of Willian Shakespear. It probably isnt but it is possible. To salt the password you have a config option that is the salt string. You then add the salt to the plain text before you encrypt i.e. $hash = md5($this->config->item('password_salt').$password);
[eluser]wiredesignz[/eluser]
Thanks. I've added MD5 hashing to the login controller and database. Code: $attempt->password = md5($this->input->post('password', TRUE)); //hash the password
[eluser]eedfwChris[/eluser]
[quote author="tonanbarbarian" date="1196261609"]To salt the password you have a config option that is the salt string. You then add the salt to the plain text before you encrypt i.e. $hash = md5($this->config->item('password_salt').$password);[/quote] I think he missed your salt addition... It is highly recommended that you also add a "SALT" (see Salt) to your password (or even md5 string) otherwise the password could easily be cracked using Rainbow tables (see Rainbow Tables). Storing JUST a md5 (or sha1) only slightly makes cracking more difficult. Adding a "SALT" usually renders a rainbow table useless.
[eluser]eedfwChris[/eluser]
That's lame the forums strip brackets in URLs and then don't allow ) (? search for "Salt Cryptography" on wikipedia..
[eluser]Michael Wales[/eluser]
I made a post in these forums about using Salts as well - just do a search for 'security salt' - should come up that way.
[eluser]Senso[/eluser]
You're storing the whole 'users' row in the cookie? That's probably not a good idea. |
Welcome Guest, Not a member yet? Register Sign In |