Storing weak passwords stronger

PostPosted: Wed Aug 24, 2005 12:18 am Post subject: Reply with quote
We store our passwords in an md5 style password hash that the PHP crypt function provides. It takes a 13 character salt.

My friend and co-worker brought up a good discussion with me. The discussion was what if the database was to be compromised. Could the passwords be cracked? The answer: yes, a dictionary/brute force cracker, like John the Ripper, could be used to crack as many passwords as possible. In a database with over 1 million passwords, a percentage of them are crackable, probably a large percent.

So, the idea of using a different algorithm to store passwords came up. What if we used:

Read more

Using Curl 101

To use Curl in PHP, you must have the Curl extension compiled in –with-curl, and you’ll want –with-openssl, if you need to be able to hit https pages.

Once you get PHP working with Curl (I could explain how to do that, but for this article, I am focusing on how to use it).

The code below is for PHP5, but I’m sure you could modify it to work with PHP4, just have to change the syntax a bit.

Read more

PHP Sessions using MySQL

MySQL sessions are “gotta have it” thing if your site ever grows beyond single server. If you have multiple servers behind a load balancer, you could keep session data on a shared SAN, but MySQL makes for a better session store.

Create a file called MySession.php and put this code in it, replace the definitions to match your database. Also, it requires the PEAR DB.php module, make sure you have pear DB installed: pear install DB.

Read more

Bookmark a page that auto-posts your login

The idea is this: I am tired of logging into the same site over and over again. This is a simple GET to POST converter. The page helps you create a URL that you can bookmark. When you use this link, your data to POST is sent to your server in the form of GET. Your webserver then translates the GET parameters into a form and POSTS to the server you’re trying to login to. So, the sensative data is kept on your computer in the bookmark (the URL). Since you don’t want anybody to be able to just read your username and password, this script will encrypt the data in the URL so your bookmark contains nothing but encrypted data.

Read more

PHP5 Autoload classes

This is really handy for medium to large size projects. You don’t have to remember to put a set of require_once functions in every file.  I usually put this in a config file that’s loaded early and on every page.

function __autoload($class_name) {
   require_once $class_name . ‘.php';

$obj  = new MyClass1();
$obj2 = new MyClass2();

See for more information.

Read more