We help IT Professionals succeed at work.

Web-Based User Authentication Advice

salukibob
salukibob asked
on
574 Views
Last Modified: 2011-10-03
Hi There,

 My question is on password authentication for a web-based app. The app is PHP based, but i'm just really interested in people thoughts on my methodology.

 I've implemented a web-based content management system that allows authors to log-in to submit their artices. The system I use for user authentication is: The original password is SHA1() hashed and stored in the database. When a user logs in, the web-app generates a hex number (random), so called challenge value, and sends this to the browser. The client-side user entered password is SHA1 hashed, and then MD5 hashed using the challenge value as the seed (all client-side javascript functions). This is then submitted as the login password. Server-side, the database stored password hash is retrieved, and MD5 hashed with the challenge value sent, and the server-side, and client sent password hashes compared. A match allows login.

 Now, so far, i've been happy with this system, and am satisfied that it is secure enough for our purposes. I'm interested to hear of peoples opinions on this system, and whether there is any obvious flaws in my scheme (I am no web-app security expert!).

 One problem i've been mulling over with this scheme, is the ability to offer users the opportunity to change their passwords. My system relies on the server-side having prior knowledge of the password hash, to allow authentication. To allow a password change, it seems to me that the same method of authentication would be used, however, a new password, having only been SHA1 hashed would need to be sent as well (to be stored in the dB). To me this seems insecure, as a snooper could sniff this value, and then use it in conjection with a future challenge value to provide the correct password hash. Although pretty unlikely, its still a potential hole. Is there a better system I could employ? Or is the ability to allow users a browser-based password change inherently insecure?

 I'm iinterested in what other people have done, for my own education, but also in the hope that I can make a more secure application. So any comments people have would be appreciated.

Regards
Rob Smith

Comment
Watch Question

Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.