Yes you would, and you should!
Explanation follows shortly. Over the last few weeks, I’ve been helping out a friend with his new site. He payed some programmers from India a few hundred euros to complete the site, and they did.
However, they made more than a few errors!
The first most n00bish error they made, was not to properly escape input to MySQL, meaning the whole site was vulnerable to SQL injection attack. I tried it, and it worked like a charm = bad!
This error was quick to fix, and zoon after the site was a tad bit more secure. But then I discovered the next big(huge!) mistake.
All passwords are stored in PLAINTEXT in the database!!!!1!!
[ad name=”Google Adsense-1″]
Why is this bad? Well, if someone got a hold of the database, they could use it to access that persons account. They could even be so lucky, that they could access a different site, using the same username and password = not good!
People are generally not good at using different passwords for different sites.
[ad name=”Google Adsense-1″]
So what are the options?
- Store the cryptographic hash (aka message digest) of the password instead of the password.
- Store the cryptographic hash of the message + a salt
If you just want security against you plain kiddy hacker, you could go for option number one.
[sourcecode language=”php”]
<?php
mysql_query( sprintf("insert into usertable(name,password) values (‘%s’,’%s’)", mysql_real_escape_string($username), mysql_real_escape_string( md5($password)));
?>
[/sourcecode]
However, MD5 has been proven to be “weak”. You could/should replace it with SHA256.
If a good(proven) hacker gets hold of your passwords in the database, he would most likely use a Rainbow table to reverse engineer all the passwords.
Using a salt
Lets say that you for each user in your usertable, adds a new field which contains a salt. This salt is different for each user. The length of the salt should be fairly high, say about >128 characters.
Before the password is hashed, the password is appended/prefixed the random generated hash value.
[sourcecode language=”php”]
<?php
// generated random salt – length 128 chars
$salt = substr(md5(uniqid(rand(), true)), 0, 128);
// generate hash with salt
$hash = md5($salt.$password);
?>
[/sourcecode]
If the attacker gets hold of your usertable, he (or she for that matter) will have to calculate a new Rainbow table for each user. The larger the salt you use, the bigger the Rainbow table, the longer it takes to calculate.
A hidden salt value would be ideal, but thats not always possible.
Nice post bud.
Sorry, but hacker gets your users table with salt and all your tricks is will be stultified.
I’m pretty sure he/she can get the user table. The question is how long it will take for the hacker to crack the passwords and for you to change them!