PDA

View Full Version : PHP/SQL encrypt password, send as text



Mike
24-08-2011, 08:06 AM
Hi all,

I have this little php app running locally on my PC that requests data from a website every hour or so by sending a username and password then recording the response.

Now I know its not overly secure (doesn't need to be), but I would like to be able to store the password encrypted somehow, either in the PHP or possibly in the SQL database its connected to (its currently stored as open text in one of the PHP files). However I need the PHP to send that password as text as part of the URL string sent to the remote site (that's just how the remote site is set up)

Basically the URL is something like
https://www.somewebsite.com/?username=myname&password=mypassIs it possibly to store the password encrypted (or even just make it harder to read) yet still send it as text as required through the URL? Or is it possible that the remote site would accept it encrypted (remote service is unsupported, so I can't get help at that end)

Does my question make sense? I'm sick at the moment, so my brain not functioning normally :)

Cheers,
Mike.

nate
24-08-2011, 12:43 PM
I would use tokens instead.

Change the request to
https://www.somewebsite.com/?accesstoken=abc1234

On the website, only accept that latest token, and once the request is over, generate a new token which the application then needs to use for the next request.

This means every time you applications requests, it gets a new token. Doing this all over SSL will also mean your traffic won't be intercepted.

Chilling_Silence
24-08-2011, 12:45 PM
When they create the password, MD5 the string, store it in the database
When they try to login, take their submitted password, MD5 it, and compare it with the string in the database. If they are ==, then it's the correct password. If not, reject them with a semi-generic and unhelpful error ;)

Mike
24-08-2011, 01:08 PM
Ummm... I don't think I've explained myself properly :) I can't control anything on the remote website. I have a PHP app with SQL running locally, which uses the URL to connect to the remote website. The remote website uses username and password in the URL, but I would like my PHP or SQL to store my password encrypted somehow, rather than in plain text within the PHP file. I still need to send the password as text in the URL (can't change that).

Cheers,
Mike.

Erayd
24-08-2011, 03:37 PM
I assume you realise that this gains you essentially nothing in the way of security?

If you require reversible encryption for the password, stored locally, and automatically decrypted locally, then the decryption key must also be present. At best, all you're doing is obfuscating the password.

What you're asking for won't stop any competent attacker from figuring out what your password is.

Edit: If you genuinely still want to do this, even though it doesn't really gain you anything, take a look at PHP's crypto extensions (http://nz.php.net/manual/en/refs.crypto.php).

Chill: The password hashing method you've described is almost criminally negligent these days. Unsalted MD5 hashes are trivially crackable, and generally mean a whole lot of trouble for the poor sods who reuse passwords (which is most of them) if your database is ever compromised.

Ideally you'd use something like bcrypt, but if that's not possible then at least use decently large unique salts, and a better hashing algorithm - this will prevent cracking via rainbow tables.

Mike
24-08-2011, 04:35 PM
What you're asking for won't stop any competent attacker from figuring out what your password is.

Edit: If you genuinely still want to do this, even though it doesn't really gain you anything, take a look at PHP's crypto extensions (http://nz.php.net/manual/en/refs.crypto.php).
:) I'm not overly concerned with the unlikely event of a competent hacker on my PC. More concerned with nosey friends and relatives who happen upon my password while going through my files. Just wanting to make it a little trickier for them to obtain it (they'd have to be intentionally looking for it rather than just happen upon it if I can encrypt it somehow)

I'll take a look at your link.

Cheers,
Mike.

Erayd
24-08-2011, 04:57 PM
Aaah, I thought you were coming at this from a security perspective. If all you're wanting to do is stop casual snooping of the type you've mentioned above, then it'll do the job just fine.

I must say though, in your shoes I'd care more about the fact that my friends were digging through my files without permission :).