1

I have read a lot of these but I have a few questions that I think aren't adequately answered. If there is a link, please refer me to it and I'll be grateful.

I have a PHP login system and it will be a community site where users will register and login. Now I need your help in these things:

  1. What hashing algorithm is enough for most of sites (WP, Joomla, FB, et al)? simple MD5 with salt? or what?
  2. What are attacks I have to deal with that are, apart form top secret sites, existing in community driven site (Juts list of them and may be short explanation of what they are)
  3. What is the best among PDO and MySQLi (I saw PHP recommends the latter but I would like to hear from you guys)

Thanks a lot, Stefano

Belinda
  • 1,230
  • 2
  • 14
  • 25
Stefano Mtangoo
  • 6,017
  • 6
  • 47
  • 93
  • 2
    I think this is many questions in one. I think you'll get a much better response if you asked each question individually. Stack Overflow is not a forum, it is a question answer site, so ideally each post is a single question, not a whole bunch. – Mild Fuzz Apr 19 '11 at 14:02
  • @MildFuzz: In adition I would reccomend the questions being more specific since security is a comlex and ample issue that can'r easily be explained in a short answer. please aslo see [this question](http://programmers.stackexchange.com/questions/46716/what-should-a-developer-know-before-building-a-public-web-site), specially the security part, it will give you a good picture. Remember, the more specific the question, the better the answer. Welcome to Stack Overflow. Plase take time to read our [FAQ](http://stackoverflow.com/faq) too. – Trufa Apr 19 '11 at 14:08
  • Thanks friends, as you can see I'm used to Daniweb, a forum so bear with me. I will try to cope as much as I can. Let me digest your answers for now and thanks ;) – Stefano Mtangoo Apr 21 '11 at 11:14

3 Answers3

2

1. What hashing algorithm is enough for most of sites (WP, Joomla, FB, et al)? simple MD5 with salt? or what

You should use MD5 with a salt as a bare minimum. Ideally you should use a different hashing algorithm, as MD5 has been proven to be fairly insecure in comparison to other available algorithms. Have a look at the different available ones here hash(). Personally I would use SHA512, with a per-user salt.

Using a per-user salt means that any attacker who gets ahold of your database would have to crack the passwords on a per-user basis, rather than cracking them all at once.

2. What are attacks I have to deal with that are, apart form top secret sites, existing in community driven site

The main attacks would be SQL Injection attacks (either to steal a database, or to inject malicious code into your site). This can also be coupled with a Cross-Site Scripting attack, which could allow an attacker to place their own code onto your site (such a <script> tag), to infect users with viruses.

These two attacks can be mitigated by escaping any variables that are going into your database, and also stripping out any HTML (or special characters) in any user-submitted data.

3. What is the best among PDO and MySQLi

This question I will leave someone else to answer - I'm not as clued up on the differences.

Hope this helps

fin1te
  • 4,289
  • 1
  • 19
  • 16
  • 1
    I might add that it is a difficult task to get a login system right, so you should be very careful and **always** sanitze and validate user inputs, XSS voulnerbilities are also **very** common and sometimes hard to catch, this phrase from [this ansnwer](http://programmers.stackexchange.com/q/46716/) this question stuck with me, `Don't try to come up with your own fancy authentication system: it's such an easy thing to get wrong in subtle and untestable ways and you wouldn't even know it until after you're hacked.` – Trufa Apr 19 '11 at 14:17
  • Do you use the user email for the salt? – AntonioCS Apr 19 '11 at 15:26
  • You could do, but I think generating a random one per user and storing it in the DB is better - less chance of an attacker being able to generate password hashes to compare the passwords against (since he may know the email, but won't know the random salt. I use this `$salt = ''; for ($i = 0; $i < 10; $i++) { $salt .= chr(rand(33,122)); }` which generates a 10 character salt (with symbols, letters and numbers) – fin1te Apr 19 '11 at 15:39
  • This is very helpful answer but cant upvote, sorry! @Trufa, I want to roll mine because I believe it will solidfy my learning. I think up until my site gets famous, I will have fixed a lot of holes. Thanks for reply though :) – Stefano Mtangoo Apr 21 '11 at 11:17
0

2) You need to be particularly careful of SQL Injection attacks and XSS (Cross Site scripting). See https://www.owasp.org/index.php/OWASP_Top_Ten_Project for more attack vectors.

3) I've only used MySQLi but thought it was a decent library

Lawrence Tierney
  • 856
  • 1
  • 12
  • 30
0

I don't think MD5 is very good, hence this MD5 decoder: http://www.md5decrypter.com/

Personally, I use SHA1. The SHA1 decoder I found online does not work. Some say that SHA1 is slower but I cannot understand why you would care if you are just using it for logging in.

Mysqli should prevent injection attacks.

Be sure not to give away too much information on failed log in attempts. Example of bad: "We recognize your username but your password is incorrect" Example of good: "The username and password do not match" --> use this for all failed logins, even if the username is NOT in the database.

Flat Cat
  • 886
  • 4
  • 13
  • 23
  • Thanks Ben. That is very helpful tip. I'm logging all errors using single function, so I will turn it off once site goes on net. – Stefano Mtangoo Apr 21 '11 at 11:23