Web-Based User Authentication Advice

Posted on 2007-09-28
Last Modified: 2011-10-03
Hi There,

 My question is on password authentication for a web-based app. The app is PHP based, but i'm just really interested in people thoughts on my methodology.

 I've implemented a web-based content management system that allows authors to log-in to submit their artices. The system I use for user authentication is: The original password is SHA1() hashed and stored in the database. When a user logs in, the web-app generates a hex number (random), so called challenge value, and sends this to the browser. The client-side user entered password is SHA1 hashed, and then MD5 hashed using the challenge value as the seed (all client-side javascript functions). This is then submitted as the login password. Server-side, the database stored password hash is retrieved, and MD5 hashed with the challenge value sent, and the server-side, and client sent password hashes compared. A match allows login.

 Now, so far, i've been happy with this system, and am satisfied that it is secure enough for our purposes. I'm interested to hear of peoples opinions on this system, and whether there is any obvious flaws in my scheme (I am no web-app security expert!).

 One problem i've been mulling over with this scheme, is the ability to offer users the opportunity to change their passwords. My system relies on the server-side having prior knowledge of the password hash, to allow authentication. To allow a password change, it seems to me that the same method of authentication would be used, however, a new password, having only been SHA1 hashed would need to be sent as well (to be stored in the dB). To me this seems insecure, as a snooper could sniff this value, and then use it in conjection with a future challenge value to provide the correct password hash. Although pretty unlikely, its still a potential hole. Is there a better system I could employ? Or is the ability to allow users a browser-based password change inherently insecure?

 I'm iinterested in what other people have done, for my own education, but also in the hope that I can make a more secure application. So any comments people have would be appreciated.

Rob Smith

Question by:salukibob
    1 Comment
    LVL 4

    Accepted Solution

    It sounds good! Changing passwords needn't be so complex, though. 3 Scenarios;

    1. User knows password, wants to change - user can log in, has prior knowledge and can simply enter new password
    2. User lost password, wants to change - places request to admin user who changes for them
    3. User is idiot, admin wants to change password - admin changes password

    As long as you have a facility where there is an admin override, you should be fine, esp if this is done form the terminal. Of course, you need to be sending all data encrypted via SSL. You might try obfuscating the value too. You could also reset the password to a standard hash based upon details of the user already entered and report the new password back to them, rather than having them enter a new one. We do this with new, auto generated PIN numbers on one of our systems.

    Oh - FYI - we often use double md5; i.e. md5(md5($password))

    Featured Post

    Live: Real-Time Solutions, Start Here

    Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

    Join & Write a Comment

          Install BugTracker on Windows 2008 server Step 1:  Install windows 2008 server 32 bit OS and configure IIS. Step 2:  Install SQL server ( SQL server 2005 or SQL server 2005 Express edition. The installer for 2008  version isn’t very f…
    Foolproof security solutions has become one of the key necessities of every e-commerce or Internet banking website. If you too own an online shopping site then its vital for you to equip your web portal with customer security features that can allow…
    The viewer will learn how to dynamically set the form action using jQuery.
    Learn how to set-up custom confirmation messages to users who complete your Wufoo form. Include inputs from fields in your form, webpage redirects, and more with Wufoo’s confirmation options.

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    25 Experts available now in Live!

    Get 1:1 Help Now