Hack the Password

Can you recheck your first php program which you have done with database backend support. Is there any password storing field in that ?.

If so you might saved your password as its plain text format without any encryption or hashing , right ? If not, you are very genius programmer by birth. What would happen if your database is leaked or somebody hacked your database, after you hosted your website and a lots of user registered or submitted their account with password. You are trapped. The hacker can access the user account by acquiring the password (saved without any encryption). The user can sue you for publishing his password open. So beware of this password saving while doing big project which is being hosted for a huge public usage.

Then what are the mechanism for saving password in database ?

One is you can save password after digesting or hashing , and and while rechecking the account or login you can compared the hash of password entered with the password stored in database. For that in php you can use this function:

$hash_password = sha1($password); ?>

Is this method all enough for full security. No , Never. For example, if you already know somebody’s password, say Sanjay’s password is : access, and you got the database and you will get the hash encoded string of the password: access. Suppose “XYZ123#@!” is the hash password got from database. Then you can reverse compare whether there any other user having hash text with “XYZ123#@!”, and thus you can get the password of that particular user. Hacked Again !!!

How to avoid this. Yes solution is Salting. Add some salt(random string) to current password and hash the whole password and save in database. Remember to save the salt value too in another field of the table , for rechecking the account login. Then for same password say”accesss”, you will get different hash digests. Thus the reverse caparison from know password can be avoided.

*
$salt = rand(1000,99999);
$hash_password = sha1($password . $salt ); *?>

Is this all enough for full security. Need not to think about the same salt for same password while creating random salt value. The probability for that is .00000….followed by 1000000 zeros …1 . Means Never.

But we are not taking risk. Add some more information to the password before hashing it. Generate a global constant string that only know to the programmer say : &555$34E$ and call it Global pattern . Append this string also with password+salt string before hashing. This will create more secured digest for your password. Remember , never forgot or miss this Global pattern, otherwise you can never check the login password later. (And it is not like the salt, the value of salt is there in database table) .

$hash_password = sha1($password . $salt . auth::GlobalPattern());*?> *

Enough … No one can hack your password now, even though he get your database. Okay .

(Saving encrypted password also helps to avoid sql injection)

Okay, enjoy programming.

Your’s Sajith