TCStyle

I'm currently working on taking security measures to ensure that my website is safe. I'm using cookies to store my members username, password, and date-last-visited upon logging into my site. My password will be encrypted using the md5() function. Let's say a user types javascript: alert(document.cookie) into the address bar and now knows the encrypted password. Is there anyway to decrypt this password? If so, will the user be able to now which function I used to encrypt it?

On a side note, I was thinking about taking a course called "Certified ethical hacker" after school at a local college. Has anyone taken this course? If so, how would you rate it?

__________________
meh...

Arevos

It's generally bad idea to store any information in a cookie that you want to remain secure. Most sites generate a random ID, and save this to the cookie. This ID links up to a file or database row that contains the secure information. This ensures that no critical information is stored directly in a cookie. PHP has session handling functionality that should make most of the above automatic.

It's also usually good idea to encrypt a password with a one-way hashing algorithm anyway, even if the user's password is stored in your database. MD5 is a one-way hashing algorithm, in that it's easy to generate a MD5 hash from a set of data, but very difficult to get a set of data from an MD5 hash.

MD5 has had some security issues however, so I'd advise using SHA1, which is considered to be somewhat more secure. SHA1's record isn't entirely flawless - there are some promising efforts that could lead to a reduction in SHA1's effectiveness - but for hashing short strings, such as passwords, there shouldn't be an issue. Especially since an attacker would have to gain access to your database first, to take advantage of it (remember to protect against SQL injection attacks!).

TCStyle

Thanks for the reply Arevos! I've never even thought about having my cookie store a number that links up to my row containing the password. Also, I've change my encryption function from md5 to sha1. I'm still reading up on SQL injections (and how to prevent them).

__________________
meh...

Dameon

Post an MD5 hash. Let's see if I can crack it.

__________________
MD5(sig) = bcef75433db02e9ad9bf81d6f7c5c270

TCStyle

ccfd95bcb4c7163d10c7bbe298d173ac

How would you go about cracking a MD5 hash (without using a cracking app).

__________________
meh...

Arevos

It has to be a large, randomly generated ID. Otherwise, an attacker could guess a valid ID. However, you don't need to worry about this, because PHP does most of it for you. Read up on PHP sessions.
SQL injection attacks are relatively easy to understand, and to prevent. Say you had an SQL string to handle logins:
[php]$query = "SELECT * FROM users WHERE username = '" . $user . "' AND password = '" . $password . "'";[/php]Under normal circumstances this works fine. Say the username was "bob", and the password "foobar", then the query would be:
But this code has a fatal flaw in it. If I wanted to get into Bob's account, I could use the password "' OR '1' = '1". When this password is used, the resulting SQL will look like:
This overrides the password check, and will log me into Bob's account regardless.

The way to prevent SQL injection attacks is to escape your strings. There are a number of functions to do this. For mysql, the function is "mysql_real_escape_string":

[php]$query = "SELECT * FROM users WHERE username = '" . mysql_real_escape_string($user) . "' AND password = '" . mysql_real_escape_string($password) . "'";[/php]

TCStyle

Ahh I get it! I never knew how flawed my scripts where.

__________________
meh...

BlazingWolf

You can't. The only way to do it is a brute force or dictionary attack, and if you salt your passwords this becomes very difficult.

By "salt" I mean add static string to each password before it is encryted.

__________________
_______________________________
BlazingWolf

Sane

Yeah, just add the same string (eg: '1pa82*') to the end of any password before it's encrypted, and it then becomes impossible by any means to decrypt with brute force. Unless they gain control of the salt, which still doesn't help much.

Booooze

I've always said, that if it was made by man, it can be cracked by man. ( or for any women out there, you can replace either or). This statement, I'm quite sure holds true. You could say it would take a long time, and it may never actually become accomplished, but it can be done. Anyways, in regards to this topic, I just wanted to say cheers to Arevos for the great post. That is very interesting. I never knew that. Thanks :p