MySQL
- Thread starter dewymodz
- Start date
If you were to look at tutorials or/and scripts then I suggest improving them after.
Just by Googling, I found some tutorials with serious issues. Mainly being the fact that they are hashing using md5 and that alone. Special mention goes to Tutorialzine for their 2009 tutorial.
There is way worse like plaintext or even no decent protection against SQL injections.
While mod_security2 would try to protect you against such attacks, there are other issues present in them that should be resolved before even being close to being in production (you should be sorting out the issues regardless of protection just in case it doesn't protect later on). Few of the issues being: XSS injection and no server-side character length checks.
my little rant on these tutorials. hope you enjoyed it.
Just by Googling, I found some tutorials with serious issues. Mainly being the fact that they are hashing using md5 and that alone. Special mention goes to Tutorialzine for their 2009 tutorial.
There is way worse like plaintext or even no decent protection against SQL injections.
While mod_security2 would try to protect you against such attacks, there are other issues present in them that should be resolved before even being close to being in production (you should be sorting out the issues regardless of protection just in case it doesn't protect later on). Few of the issues being: XSS injection and no server-side character length checks.
my little rant on these tutorials. hope you enjoyed it.
- Messages
- 3,295
- Reaction score
- 227
- Points
- 63
Specifically, anything that's not using PHP's built-in password_hash(), password_verify(), and password_needs_rehash() functions is doing it wrong*, and if you see mysql_connect(), just run away.
But to answer (or try to answer) the main question, there's a lot more to it than just creating a login page/script. If you think it's something that can be covered in a ten-minute YouTube tutorial or a single thread in a user-to-user forum, you've got to reset your expectations. I can't stress this enough: users use the same password (or two or three) everywhere, so your system needs to be as secure as if your were guarding their bank password - because you probably are.
______________
* That's not quite true, but the reasonable alternatives involve either scrypt(), which you can't run on a shared hosting server that won't allow you to install binaries, or a hardware security module, which you can't use on a server you don't have physical access to. You can also use the same methods that the built-in functions use (if you're stuck on a old version of PHP), but you won't be able to do enough hash iterations fast enough to make the hash secure and responsive at the same time (users will not wait around for 20 seconds).
But to answer (or try to answer) the main question, there's a lot more to it than just creating a login page/script. If you think it's something that can be covered in a ten-minute YouTube tutorial or a single thread in a user-to-user forum, you've got to reset your expectations. I can't stress this enough: users use the same password (or two or three) everywhere, so your system needs to be as secure as if your were guarding their bank password - because you probably are.
______________
* That's not quite true, but the reasonable alternatives involve either scrypt(), which you can't run on a shared hosting server that won't allow you to install binaries, or a hardware security module, which you can't use on a server you don't have physical access to. You can also use the same methods that the built-in functions use (if you're stuck on a old version of PHP), but you won't be able to do enough hash iterations fast enough to make the hash secure and responsive at the same time (users will not wait around for 20 seconds).
- Messages
- 3,534
- Reaction score
- 196
- Points
- 63
while I agree with the above post that --> PHP security is not "simple"
see --> [ http://www.fastsecurecontactform.com/download-php-script]
down load size is 780.6 kB (780,613 bytes)
have access to what ?
FWIW - I now use 3 step login for my sites that have a need for security
here is a link for a 'log-in form' that is old yet has a lot of "peer reviews"
see --> [ http://www.fastsecurecontactform.com/download-php-script]
down load size is 780.6 kB (780,613 bytes)
log-in to what ?
have access to what ?
FWIW - I now use 3 step login for my sites that have a need for security
- Messages
- 3,295
- Reaction score
- 227
- Points
- 63
While that's a good start, it really does need to be modified to be "good enough" today. Back when PHP 5.1 was the bees knees, we had to make some rather severe compromises on the hash that made cracking way too easy on a modern small GPU set-up. The code behind the new (well, used to be new) password hashing functions in PHP was introduced in PHP 5.5 (and the necessary components for a compatible script were backported to PHP 5.3.7 by the RedHat/CentOS group for their PHP distributions). That (binary) code makes the difference between being able to crack several passwords a minute and spending several minutes on each password - which might not sound like much, but it's the same as the difference between about one week and about 60 years, or between one day and almost nine years, to crack an entire fair-sized user database table. (And yes, we can do even better than that by straying away from the default settings, but it's not really practical within the confines of Free Hosting, with its limited CPU and memory allocations.) That's a lot more time to react and change things, and to allow your users to make the changes they'll need to make elsewhere.
It was the whole "what do you do now that your users can log in" question that I was getting at when I said:
That's a big topic, and there's no way to cover it in a short tutorial - unless you really want to fool yourself into thinking you're accomplishing something you're really not. Feeling warm and fuzzy is not security, and your site doesn't matter nearly as much as your users do.
It was the whole "what do you do now that your users can log in" question that I was getting at when I said:
That's a big topic, and there's no way to cover it in a short tutorial - unless you really want to fool yourself into thinking you're accomplishing something you're really not. Feeling warm and fuzzy is not security, and your site doesn't matter nearly as much as your users do.
jensen
Active Member
- Messages
- 1,167
- Reaction score
- 22
- Points
- 38
Let's not discourage dewymodz with all the issues of security.
Maybe s/he just wants to learn the basics of creating a login form. Or maybe s/he thought this is another post-to-host and was just posting to get some response afterall that's the first post from Sept 12 and no response.
Appreciate the warning of being slack with security but that does not mean we should all just stop and leave it to the corporations to do the job. We learn to be aware of the risks and mitigate them. Always enjoy reading essellar and caftpx10. Very detailed.
bdistler uses 3 step login? Can you share the 3 steps? Have used the CPanel security for the 1st step, then hardening my WordPress login on the 2nd step but that's about it. Once they see an extra layer, they just move on and stop trying to break in.
There's huge companies built just working on security with team of white hat hackers and still people break through.
There's OTP tokens (one time password), smartcard, biometric tokens, iris scan, finger print scanners etc. Man in the middle attacks can go around some of these and other methods.
Maybe s/he just wants to learn the basics of creating a login form. Or maybe s/he thought this is another post-to-host and was just posting to get some response afterall that's the first post from Sept 12 and no response.
Appreciate the warning of being slack with security but that does not mean we should all just stop and leave it to the corporations to do the job. We learn to be aware of the risks and mitigate them. Always enjoy reading essellar and caftpx10. Very detailed.
bdistler uses 3 step login? Can you share the 3 steps? Have used the CPanel security for the 1st step, then hardening my WordPress login on the 2nd step but that's about it. Once they see an extra layer, they just move on and stop trying to break in.
There's huge companies built just working on security with team of white hat hackers and still people break through.
There's OTP tokens (one time password), smartcard, biometric tokens, iris scan, finger print scanners etc. Man in the middle attacks can go around some of these and other methods.
- Messages
- 3,295
- Reaction score
- 227
- Points
- 63
Sorry, but that's the one area where I cannot, under any circumstances, take it easy. Doing local development, or on a sandboxed school network, sure, there's room for learning the thing one step at a time (just getting a form to do something, then doing the login, then learning ow to authenticate), but on a public-facing server, it's pure danger. And no, one doesn't have to leave things to "corporations"; the features needed to do things correctly are built into the PHP language and alternative secure hashes (such as PBKDF2) are but a Google away.
It really is the case that people are going to use their "real" password, likely the only one they use wherever they can get away with it, on your toy site, and it's by attacking the toy sites that "interested parties" find their way into places where they can do real damage. There's absolutely no room for encouraging poor practice here.
It really is the case that people are going to use their "real" password, likely the only one they use wherever they can get away with it, on your toy site, and it's by attacking the toy sites that "interested parties" find their way into places where they can do real damage. There's absolutely no room for encouraging poor practice here.
jensen
Active Member
- Messages
- 1,167
- Reaction score
- 22
- Points
- 38
Yes essellar I appologize if it seemed I was asking people to take it easy.
Was just looking at how far we need to be implementing these security logins. Like the tokens and
So would it be ok to suggest the minimum requirement for logins is to be built using the built-in features and hashes with vigilance.
Like implementing PHP security features when using PHP eg. http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL
and implementing Python best security practices when using Python eg. http://www.pythonsecurity.org/.
Was just looking at how far we need to be implementing these security logins. Like the tokens and
So would it be ok to suggest the minimum requirement for logins is to be built using the built-in features and hashes with vigilance.
Like implementing PHP security features when using PHP eg. http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL
and implementing Python best security practices when using Python eg. http://www.pythonsecurity.org/.
Last edited:
- Messages
- 3,534
- Reaction score
- 196
- Points
- 63
while not a 'step' - my [ .htaccess ] file has a hand on who can log-in
step 1 > Google's reCaptcha (i'm not a robot)
step 2 > get user's 'user name' and 'password'
step 3 > send SMS with a code - to the user - who must enter it to log-in
- Messages
- 3,534
- Reaction score
- 196
- Points
- 63
I use PHP
Google [ php sms ]
BTW after months - no bot (Web robot) has passed my Google's reCaptcha --> [ https://www.google.com/recaptcha/intro/index.html ]