All geek questions in one place

PHP passwords?

I am very interested to know how to protect php passwords.

The main question: how to send a password as a secure line from the login form?

I check how other sites do it, for example. facebook. When I log in to facebook, I don’t see my password at all, it's just a long encrypted string.

How to convert a password field to an encrypted string before sending? Is this done using ajax?

Cheers Ke

+4
source share
3 answers

Check HTTPS

Secure Hypertext Transfer Protocol ( HTTPS ) is a combination of Hypertext Transfer Protocol with SSL / TLS to provide encryption and secure server identification. HTTPS connections are often used for payment transactions on the World Wide Web and for confidential transactions in corporate information systems. HTTPS should not be confused with secure HTTP (S-HTTP) as specified in RFC 2660 .

If you cannot enable HTTPS for your site and do not want to publish cleartext passwords (for obvious security reasons), consider using Challenge-Response Authentication .

Just google for various PHP / Javascript implementations and choose the one you like.

+4
source

If you cannot use a secure connection, you can encrypt the password before sending.

JavaScript pseudo code:

onSubmit: PASSWORDFIELD.value = md5(PASSWORDFIELD.value)

After that, the MD5 password will be encrypted on the client side, which will then be sent to your server (there is no need to use AJAX). On the server side, you should compare it with the encrypted password stored in the database to check if the user is allowed.

+2
source

according to Select0r I did this so as not to change the * -s count after sending:

 onSubmit='encrypt_pass(this)'

and

 function encrypt_pass(form){ form.pass_md5.value = md5(form.pass.value); //needs a hidden pass_md5 field var stars = ""; for(i=0;i<form.pass.value.length;i++) stars = stars+"*"; form.pass.value = stars; }
0
source

Source: https://habr.com/ru/post/1301576/

More articles:


All Articles