2

I realise the title is the same as this question over here, but please don't eat me. This is for confirmation of my understanding, and for any other folks who want a one-stop shop.

So after doing some research I've compiled the following notes:

  1. You need some sort of programmable server back-end, e.g.: php. Just the database will not suffice. You should also possess a valid SSL certificate.
  2. Establish an SSL connection with a CSRF token. Source
  3. Send the unhashed password over the SSL to the server
  4. On the server, hash+salt using bcrypt. Store this hash+salted passwords as you would expect (for SQL: in a table as an entry). Also store the salt separately
  5. Once logged in, keep using SSL to prevent session hijacking. If SSL is lost, force relogin(although it could already be too late, if you're unlucky?)
  6. When logging in, send the unhashed password over SSL as you would, where it would be appropiately hash+salted and compared with the stored version.

Point 6 is the main issue I have, and on which I couldn't find more information. I've read somewhere that I ought to be salting the password upon every login attempt as well. Is this accurate? How would I do this?

And at any rate, are the rest of my steps correct?

Community
  • 1
  • 1
Mox
  • 564
  • 2
  • 8
  • 20
  • 3
    Please dont __roll your own__ password hashing. PHP provides [`password_hash()`](http://php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://php.net/manual/en/function.password-verify.php) please use them. And here are some [good ideas about passwords](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) If you are using a PHP version prior to 5.5 [there is a compatibility pack available here](https://github.com/ircmaxell/password_compat) – RiggsFolly Nov 22 '16 at 11:19
  • I have used this, which seams to work pretty well: https://github.com/PHPAuth/PHPAuth – Bolli Nov 22 '16 at 11:20
  • 1
    "If SSL is lost, force relogin(although it could already be too late, if you're unlucky?)" — Luck has nothing to do with it. It could already be too late if you fail to set the *secure* flag on any cookies you use. – Quentin Nov 22 '16 at 11:20
  • 1
    "Establish an SSL connection with a CSRF token" — SSL and CSRF are unrelated. CSRF is more of a concern *after* the user is logged in, but it doesn't hurt to protect login forms with it. – Quentin Nov 22 '16 at 11:21
  • @Quentin I'm sort of new to WebSec and server side coding/php, hence the newb mistakes. Thanks for the clarifications. – Mox Nov 22 '16 at 11:30
  • @RiggsFolly Thanks for that. I would inevitably see that once I get around to implementation. Atm I'm still designing. As mentioned above, I'm sort of a newb. I just don't want to do it the wrong way xD – Mox Nov 22 '16 at 11:31

2 Answers2

2

Point 6 is the main issue I have, and on which I couldn't find more information. I've read somewhere that I ought to be salting the password upon every login attempt as well. Is this accurate? How would I do this?

Never send the password in plain text.

The browser should send the password to the server using SSL to encrypt the communication.

The server should salt and hash the password using the same method as step 4.

You then compare the salted, hashed password you just got with the salted, hashed password from the database.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • 1
    I thought the fact that the login should be SSLed was implied, my bad. And obviously if the stored password is hash+salted, the password sent will have to match it. – Mox Nov 22 '16 at 11:23
  • 1
    @Mox — "plain text" explicitly states it should not use SSL, which was a contradiction since you also said it should use SSL. – Quentin Nov 22 '16 at 11:31
  • "And obviously if the stored password is hash+salted, the password sent will have to match it." — So what's the problem? – Quentin Nov 22 '16 at 11:32
  • Bah. I'll edit my question to clarify that then. – Mox Nov 22 '16 at 11:32
  • "What's the problem?" Making sure my own understanding is correct, pretty much. I don't want to make shoddy login system, and there are many ways of doing that. :P – Mox Nov 22 '16 at 11:33
-2

Though I'm not a php guy… But I can suggest something. While generating password, get the password, get a random 4digit no. (Salt) Concatenate them… i.e password+salt Then pass it to md5 encryption (ssl) Store the result string in db with the salt.

When logging in get the password from text field, get salt from the db, concatenate them. Encrypt using ssl Check equality from db. That's it.

srv242
  • 105
  • 10