Enhance the security of user password retention and inspection

Author: goseaside Copyright: subject to the CC protocol. Set inputtype = \ "passw

Author: goseaside
Copyright: CC protocol compliance http://creativecommons.org/licenses/by-nc-nd/2.0/deed.zh_TW

The following $ username, $ password indicates the user name and password, and $ sitekey indicates the site scrambling code.

Password settings

When submitting a request, use javascript to process the request.

T_code0.value = md5 (username. value \ '| \ 'passwd. value );
Passwd. value = '';

If the submitted passwd has a value or t_code0 is null, the password setting fails;

The t_code0 value is retained to the save_pwd field of the database;


Password verification

1. log on to the client
The server's natural random code $ sid is retained to $ _ SESSION [sid] and passed to the user at the same time;

Form

2. the user enters the user name and password. when the user is submitted, javascript is used for processing.

Var t = md5 (username. value \ '| \ 'passwd. value );
T_code.value = md5 (sid \ '| \' t );
Passwd. value = '';

3. server-side determination
If username is empty, passwd is not empty, or t_code is empty, return to the logon page;
If no $ _ SESSION [sid] exists, return to the logon page;

[Php]
$ Sid0 = $ _ SESSION [sid];
[/Php]

Obtain save_pwd from the database based on the user name,

[Php]
$ Pwd_right = md5 ('$ sid0 | $ save_pwd ');
[/Php]

If $ pwd_right and $ t_code are different, the logon fails;

Clear sid value

[Php]
$ _ SESSION [sid] = '';
[/Php]

If logon fails, the logon page is returned;

Strengths
1. the server does not retain the plain text of the user password to avoid password leaks from various sources;
2. avoid consistency of passwords and results;
3. the password is not transmitted in plain text, and a one-time password is applied during all logon processes;
4. Avoid dictionary-based login attacks;

5. the password is retained using a one-way HASH algorithm and cannot be decrypted to obtain the original password.

This method was used since 2002, with good results.

Traditional password retention in plain text
1. website administrators or programmers can collect user passwords at any time for future dictionary attacks;
2. when the database is cracked, hackers obtain a large number of passwords;

3. These passwords correspond to user names and can be used for targeted attacks.
Think about how many people apply the same password on different sites?

Pay attention to all websites that retain passwords in plain text.

How to determine whether the website retains the password in plaintext