One of my friends has a rsa key somethings, what it does is that at
every few minutes it generate a random number so for login on his server
he need this random key and his password to get in, the server generate
the same key as his rsa key and has his password.
SO the best things to do will be to make two program that use something
to generate a random alphanumeric something on the server side and on
your client side so when you connect to the server both have you has
this key + your password, if it's OK it start a PHP session. And the key
should be regenerated once you have login. SO even if somebody extract
the clear text key+password from your connection he can't connect
because this key+password is already passdue, the only possible attack
then is to find the algorithm that you use+password, by changing your
algorithm once in a while you can really limit this, they other attack
could be a man in the middle attack, that could hurt.
Good idea, I have to use this (let's put-it down on my project
list,...), I could even put the generate stuff on my pda, I could login
from anywhere... ;)
Tom Malone wrote:
>
> I guess I should clarify - I'm just making a login for myself for the admin
> section of my website, so I only need to be able to protect my own password.
> I'm not sure if that information if helpful at all, but I haven't been able
> to figure out how to do it.
>
> Tom
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, July 19, 2001 3:21 PM
> To: Sheridan Saint-Michel
> Cc: php-general
> Subject: Re: [PHP] encryption
>
> Ahh, well then, another solution could be to use SSL, depends on your
> application weather you can get away with using an unsigned certificate
> (free) or
> weather you will need to pay a company like verisign to prove your identity.
>
> With an unsigned certificate the browser will warn the user that the
> certificate says
> it's you, but it's not proven by a CA so it might not be you.
>
> The JavaScript MD5 tenique is an interesting way of doing it, but i don't
> think it's
> any more secure. If a hacker sniffs the md5 hash how is that any diffrent
> than him
> sniffing a plain text password? You're comparing hashes, so as long as he
> has the hash
> he's in.
>
> On Thu, Jul 19, 2001 at 01:58:43PM -0500, Sheridan Saint-Michel wrote:
> > The problem he is addressing is that the password is sent plaintext to the
> > server before it ever gets to MySQL.
> >
> > I would suggest using a JavaScript program like this
> > http://pajhome.org.uk/crypt/md5/md5src.html
> >
> > and then using the PHP md5 function on the server side and comparing the
> two
> > results.
> > That way the only thing that ever gets transmitted is an md5 hash =P
> >
> > Sheridan
> >
> > ----- Original Message -----
> > From: Jeff Bearer <[EMAIL PROTECTED]>
> > To: Tom Malone <[EMAIL PROTECTED]>
> > Cc: PHP Users <[EMAIL PROTECTED]>
> > Sent: Thursday, July 19, 2001 12:17 PM
> > Subject: Re: [PHP] encryption
> >
> >
> > > I'd use the password function in mysql to store encrypted passwords,
> I'd
> > be interested to hear
> > > if anyone has a reason that doing this is not a good idea.
> > >
> > >
> > >
> > > On Thu, Jul 19, 2001 at 12:52:55PM -0400, Tom Malone wrote:
> > > > Hello!
> > > >
> > > > I have a small problem. On my website there is some information I
> would
> > like
> > > > to protect. Right now I am using .htaccess to password-protect the
> > > > directory, but I was thinking about using php and a form with
> > > > usernames/passwords in a MySQL database. Thankfully, I read the
> > following in
> > > > the manual right before I was about to use the crypt() function to
> > encrypt
> > > > my password and compare it to the encrypted hash in the DB:
> > > >
> > > > "It seems that a lot of people don't understand the point of using
> > one-way
> > > > encryption. More importantly, a lot of web designers forget that PHP
> > > > encryption is done entirely on the web server, not the client.
> > > >
> > > >
> > > >
> > > > Point being, if your form has a password input option and the user
> > clicks
> > > > SUBMIT, the password is then sent _as plain text_ over the Internet to
> > the
> > > > web server where it is then encrypted for comparison against a
> password
> > > > database.
> > > >
> > > >
> > > >
> > > > Do _not_ use these types of functions to add security to a form unless
> > > > you're using an SSL or TLS (etc.) encrypted session. The only
> potential
> > way
> > > > around this issue is for you to write a JavaScript program that does
> the
> > > > hashing on the client side before being sent over the Internet (which
> > would
> > > > make this function unnecessary)."
> > > >
> > > > I am pretty new to PHP and absolutely clueless as far as
> > > > encryption/algorithims are concerned. Could anyone possibly point me
> to
> > a
> > > > viable solution for this problem?
> > > >
> > > > Thanks in advance!
> > > >
> > > > Tom Malone
> > > >
>
> --
> Jeff Bearer, RHCE
> Webmaster
> PittsburghLIVE.com
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
Francis Fillion, BAA SI
Broadcasting live from his linux box.
And the maintainer of http://www.windplanet.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
