Handling Passwords and Password Security
What's the most used way of securing a web page from unauthorized access? Password protection.
Most applications use a database to password protect their pages. Password protection using a database is quite simple. You have a username and a password and store them in the database table. If anyone requests for the page, you redirect them to a login page and when their submitted username and password matches a record in the table, you let them in. Otherwise, you give them an error message.
It's actually not a simple matter. What if someone gains access to your database? I'm not saying it's gonna happen but it's possible. What do you then?
That's where hashing comes in. MD5, a one way encryption function is widely used for this. However, with the growing MD5 databases available on the internet, using ONLY MD5 doesn't cut the mustard. Salting is a much better alternative.
Salting is the usage of a string to modify a password hash. This prevents the easy lookup into some MD5 database.
Here's an example of salting from my own CodeIgniter Auth library
function hash($password)
{
return sha1(md5(strrev($password) . $this->CI->config->item('encryption_key')) . $password);
}
Now, unless you tell someone how the password hashing works or he gains access to your config file, someone even with access to the database will be having a difficult time 'guessing' what passwords your users have. Please note that salting can be done in anyway. You can choose to create your own salt instead of getting the value of the encryption key config.
I hope someone has been helped by this post.
Categories: How To, Web Development
2 Comments
Teejay
Charles
I have always used SHA1 but haven’t used password salting. Great Article.
May 14th 2009