 |
 |
Find a programming school near you
php3-list | 199908
Date: 08/05/99
- Next message: Ryan Morgan: "[PHP3] ereg_replace"
- Previous message: Manuel Lemos: "Re: [PHP3] Parallel, Multi Tasking, Forking whatever you want to call it!"
- In reply to: Jacob Stetser: "Re: [PHP3] 2 way encrypt/decrypt function in PHP3?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello Jacob,
On 05-Aug-99 12:26:58, you wrote:
>Yeah, if they get the password, they're in. There's not much more I
>can do for security past that point.
That's what I figured.
>If I were smarter with designing security setups I could probably
>make something harder, but in the end, the user's password/passphrase
>is always the weak link. If they give it out or somehow someone gets
>it, that's access. I can secure my end of the system, and to some
>degree their end (using md5 encryption and CR instead of simple
Yes, the use of both methods would improve security by making it harder for
the unexperienced hacker. The experienced hacker would figure it's way
soon or later but it would need to actually sniff the connection and
eventually fake some IPs.
>Where can I get the MCRYPT functions? Are they not built into PHP? I
>can't seem to use them on my host, though I might be using them wrong.
I have never used them, but if I got it right you have to have some
libraries installed.
>Is anyone here an expert in authentication security - specifically a
>system which withstands dictionary attacks, is not plaintext
>equivalent and has forward secrecy?
Dictionary attacks only work if the user password is in a form that is in
the dictionary. The greatest weakness of the systems are the users
lazyness to use different passwords in different systems and usually come
with passwords that are easy to guess like birth dates, personal names.
One of the greatest security problems are insiders, i.e. people that work
inside the companies or institutions and have access to the password.
Most people is concerned about security of the connections as somebody may
be sniffing the transmission of a credit card, but nobody proved that
happens enough anywhere in the world to make you worry.
The greatest problem of using credit cards in the Internet and elsewhere
are employees and less trustworthy people that have access to the databases
or even receive credit cards by e-mail and keep the information to abuse
from it offline.
This is why using SSL gives you a false sense of security as you don't know
what happens to your credit card numbers on the other end.
VISA and MasterCard and others, came with the SET protocol solution. The
bottom line is that the merchants never get to know anything about the
clients sensitive data.
However, this doesn't solve the fact that a lot of people don't want to use
credit cards on the Internet because their greatest problem is their
ignorance on wether it is safe or not.
But back to our password subject, let me tell you about one story that I
know about people that use the same passwords everywhere and the importance
of only storing encrypted passwords in databases, in preference with a
random salt.
Once upon a time ago when BBS were hot and Fidonet was our Internet, some
sysop decide to try this new BBS managed by a friend of mine. Some time
after that sysop claimed somebody hacked his one BBS and was willing to
kick the new BBS from the local FidoNet network.
What happened is that some other employee of the company where my friend
worked managing the new BBS, checked the records and stole the password
that the other Sysop used in the new BBS. It happened that the password
was the same as in his own BBS. The employee just logged and sysop and
made a big mess.
Conclusion, never store passwords in clear text in your databases. If
possible always store the passwords encrypted and never let anybody with
administration privileges to know or set anybody's password. If the user
lost a password, mail him a new random password without letting the
administrator user know it. If you don't trust who's behind some site,
never use the same password that you use in other important sites.
Regards,
Manuel Lemos
Web Programming Components using PHP Classes.
Look at: email protected>?subject=Re:%20[PHP3]%202%20way%20encrypt/decrypt%20function%20in%20PHP3?&replyto=4058.886T108T9823593mlemos <email protected>">mlemos <email protected>">http://phpclasses.UpperDesign.com/?user=mlemos <email protected>
-- E-mail: mlemos <email protected> URL: http://www.mlemos.e-na.net/ PGP key: http://www.mlemos.e-na.net/ManuelLemos.pgp ---- PHP 3 Mailing List <http://www.php.net/> To unsubscribe, send an empty message to php3-unsubscribe <email protected> To subscribe to the digest, e-mail: php3-digest-subscribe <email protected> To search the mailing list archive, go to: http://www.php.net/mailsearch.php3 To contact the list administrators, e-mail: php-list-admin <email protected>
- Next message: Ryan Morgan: "[PHP3] ereg_replace"
- Previous message: Manuel Lemos: "Re: [PHP3] Parallel, Multi Tasking, Forking whatever you want to call it!"
- In reply to: Jacob Stetser: "Re: [PHP3] 2 way encrypt/decrypt function in PHP3?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
