[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Web-Based User Authentication Advice

Posted on 2007-09-28
1
Medium Priority
?
554 Views
Last Modified: 2011-10-03
Hi There,

 My question is on password authentication for a web-based app. The app is PHP based, but i'm just really interested in people thoughts on my methodology.

 I've implemented a web-based content management system that allows authors to log-in to submit their artices. The system I use for user authentication is: The original password is SHA1() hashed and stored in the database. When a user logs in, the web-app generates a hex number (random), so called challenge value, and sends this to the browser. The client-side user entered password is SHA1 hashed, and then MD5 hashed using the challenge value as the seed (all client-side javascript functions). This is then submitted as the login password. Server-side, the database stored password hash is retrieved, and MD5 hashed with the challenge value sent, and the server-side, and client sent password hashes compared. A match allows login.

 Now, so far, i've been happy with this system, and am satisfied that it is secure enough for our purposes. I'm interested to hear of peoples opinions on this system, and whether there is any obvious flaws in my scheme (I am no web-app security expert!).

 One problem i've been mulling over with this scheme, is the ability to offer users the opportunity to change their passwords. My system relies on the server-side having prior knowledge of the password hash, to allow authentication. To allow a password change, it seems to me that the same method of authentication would be used, however, a new password, having only been SHA1 hashed would need to be sent as well (to be stored in the dB). To me this seems insecure, as a snooper could sniff this value, and then use it in conjection with a future challenge value to provide the correct password hash. Although pretty unlikely, its still a potential hole. Is there a better system I could employ? Or is the ability to allow users a browser-based password change inherently insecure?

 I'm iinterested in what other people have done, for my own education, but also in the hope that I can make a more secure application. So any comments people have would be appreciated.

Regards
Rob Smith

0
Comment
Question by:salukibob
1 Comment
 
LVL 4

Accepted Solution

by:
orbic1 earned 375 total points
ID: 20091842
It sounds good! Changing passwords needn't be so complex, though. 3 Scenarios;

1. User knows password, wants to change - user can log in, has prior knowledge and can simply enter new password
2. User lost password, wants to change - places request to admin user who changes for them
3. User is idiot, admin wants to change password - admin changes password

As long as you have a facility where there is an admin override, you should be fine, esp if this is done form the terminal. Of course, you need to be sending all data encrypted via SSL. You might try obfuscating the value too. You could also reset the password to a standard hash based upon details of the user already entered and report the new password back to them, rather than having them enter a new one. We do this with new, auto generated PIN numbers on one of our systems.


Oh - FYI - we often use double md5; i.e. md5(md5($password))
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article discusses how to create an extensible mechanism for linked drop downs.
This article discusses how to implement server side field validation and display customized error messages to the client.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to count occurrences of each item in an array.
Suggested Courses
Course of the Month18 days, 2 hours left to enroll

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question