Welcome to the OzoneAsylum FaqWiki
Frequently Asked Questions
Security
Passwords

How do I encrypt my login passwords on my website? Pages that link to <a href="http://ozoneasylum.com/backlink?for=5798" title="Pages that link to How do I encrypt my login passwords on my website?" rel="nofollow" >How do I encrypt my login passwords on my website?\

The first question we must ask is why the hell would I want to encrypt my password in the first place? Well one reason might be if you work on a non-switched network such as a network run off of a hub or a wireless network. Programs called packet sniffers such as ethereal and Kismet can be used to read (sniff) the packets your browser (client) sends to the server. When I first found out about ethereal I remeber the horror of finding our that the password I had been sending to Ozones Asylum was sent unencrypted! And it was so obvious. Not that it's that big a deal in a message board but I thought about how many other logins I have on the Internet, and began to wonder if the password was being sent plain text or not.


Well first you need a client side encryption algorithm. Where do I get one of those?

Click here for one written in Javascript.

Add this to your code like so... here's a very simple example....of the client side of a login...

As you read though the code, be sure to pay close attention to the comments.

code:
<html>
<head>
<title>User Login</title>

<!-- Include the Encryption Script -->
<!-- Special thanks to[url=http://pajhome.org.uk/crypt/md5/]http://pajhome.org.uk/crypt/md5/[/url] -->
<!-- for the SHA-1 Encryption Script -->
<script type="text/javascript" src="./jslib/md4.js"></script>
<script type="text/javascript" src="./jslib/md5.js"></script>
<script type="text/javascript" src="./jslib/sha1.js"></script>

<script language="JavaScript">
<!--
// This function is called when sending the
// data to the server. The function first
// encrypts the data places it in a hidden field,
// and then sends the data to the server.
function sendData()
{
var FORM = document.myform;

// Encrypt the data from the password field
// and place it back on to the password
// field.
// If you'll notice when the form is sent,
// the password field gets quite a bit longer,
// this is because it is encrypted.
FORM.passwd.value = hex_sha1(FORM.passwd.value);


// In this example we use hex_sha1 to encrypt it but
// other algorthms can be used provided that the same
// one is used to encrypt it on the server side.
// I.E. we never decrypt the password.
return true;
}
-->
</script>
</head>
<body>
<form method="get" name="myform" action="./cgi-bin/login.pl" onSubmit="return sendData();">
<table border="0">
<tr>
<th colspan="2" align="right"><h4>User Login</h4></th>
</tr>
<tr>
<td align="right"><h5>Username:</h5></td>
<td><input type="text" name="username" /></td>
</tr>
<tr>
<td align="right"><h5>Password:</h5></td>
<td>
<input type="password" name="passwd"/>
</td>
</tr>
<tr>
<td colspan="2" align="right">
<h5>
<a href="./lost_passwd.html">Lost Password</a>
</h5>
</td>
</tr>
<tr>
<td colspan="2" align="right">
<h5>
<a href="cgi-bin/new_user.pl">New User</a>
</h5>
</td>
</tr>
<tr>
<td colspan="2" align="right">
<input type="reset" name="reset" value="Reset Form"/>
<input type="submit" value="Login"/>
</td>
</tr>
</table>
</form>
</body>
</html>




Now on the server side our password which is stored in a database, must be retrieved from it and associated with the username. In the database the password can be encrypted, or unencrypted.

If the password is encrypted already in the database, it must first be stored as encrypted. Then we simply retrieve the password, from the database and compare it to the encrypted password sent by the client. If the two match then the user is allowed entry. This method is more efficent since less encrypting is done on the server side, and more of it is done on the client side.

If the password is not encrypted in the database, then we will retrieve the password from the database encrypt it, and then compare it with the encrypted password the user sent us. If the two match then the user is allowed entry. This method is less efficent, since the password must be re-encrypted by the server everytime a user logs in. The upside to this is the fact that if the user loses his/her password, it can now be sent to their email in plain text for retrieval by the user. But it is also less secure.

Now what has to be made sure about is that the same algorithm is used for encryption on both the server side and the client side. In the client side of the example we used the SHA1 algorithm for encryption (160 bit encryption). We used this when we called the function
hex_sha1(stuff_to_encrypt) On the serverside you have to find an encryption algorithm for the particular serverside language you are using.

For our example we will use perl. Perl comes with a library called Digest in which several algorithms are stored for encryption of passwords.

here is some sample code of how this would be done in perl.
Digest::SHA1 qw( sha1_hex ); includes the library needed to encrypt the plaintext password stored in the database on the server side to the same encryption as the clientside password. It is modeled after the first example in which the password is not stored as encrypted, but rather stored as plain text and re-encrypted at every login.

Read through the comments as we go through the code, this will explain volumes...

code:
#!/usr/bin/perl -wT
BEGIN{
use lib ('/home/leeand00/cgi-bin');
}
use mysql_connect;
use redirect;
use cookies;
use strict;
use CGI qw(:standard);
use DBI;
use Digest::SHA1 qw( sha1_hex );

# Don't forget to add cookies for the login...

# Pages to redirect to when login fails,
# is successful, or an error in program
# occurs.
my $successful_login_page = "./success.pl";
my $failure_login_page = "../fail.html";
my $error_login_page = "../error.html";

# Get username and password from the form
my $username = param('username');
my $passwd = param('passwd');

# Get a connection from the database
# There is the possibility of the program dying from here
# (This is not the regular way of connecting to a database, but
# the rest of that is stored in a library and not really relivent
# to this tutorial)
my $dbh = &mysql_connect::getDBConnection();

# Check to see if this user is allowed to connect to the database
# based on his/her username and password.
#
# If isVaildUserPasswd returns 1 allow the user to enter the site
# otherwise if it returns 0 then the user is denied access to the
# site.
my $allowLogin = &isValidUserPasswd($username, $passwd);


if($allowLogin == 1)
{
&cookies::setCookie('username', $username, '30m');
print header;
print start_html('Logging you in');
&redirect::redirectTo($successful_login_page);
print end_html
}
elsif($allowLogin == 0)
{
print header;
print start_html('Failure to login');
&redirect::redirectTo($failure_login_page);
print end_html;
}
else
{
print header;
print start_html('Error');
&redirect::redirectTo($error_login_page);
print end_html;
}


# Disconnect from the database
$dbh->disconnect;


sub isValidUserPasswd($web_username, $web_passwd)
{

# The username submited by the user's browser
my $web_username = $_&#91;0&#93;;

# The password submited by the user's browser
my $web_passwd = $_&#91;1&#93;;

# The select statement to test the username and password against the database.
my $select_statement = "SELECT passwd FROM user WHERE username = '$web_username';";

# Make sure the username and password are not blank,
# if they are return bad password or 0.
# (Without this statement the system allows
# logging in without a username and password,
# just like windows 98!)
if(!$web_username || !$web_passwd)
{
return 0;
}

# The cursor for the select statement
my $sth;

# The actual password as stored in the database
my $database_passwd;

# The array (although we don't really need it) to store the results of the query in.
my @row;

# Query the database to see if the user exists
$sth = $dbh->prepare($select_statement);

# Execute the statement
$sth->execute();

# Fetch the row back from the SELECT statement
# (if there is one)

while(@row = $sth->fetchrow())
{
$database_passwd = $row&#91;0&#93;;
}

# End the Query before the function exits.
$sth->finish();

# Encrypt the password from the database
# so that it matches the one from the login
# form.
# (Passwords stored in the database are
# stored in the database as plain text)
$database_passwd = sha1_hex($database_passwd);

# Compare the database password and that of the password
# submitted by the user.
if($database_passwd =~ /^$web_passwd$/)
{
return 1;
}
else
{
return 0;
}
}





(Added by: Maskkkk on Tue 16-Sep-2003)

« BackwardsOnwards »

Show Forum Drop Down Menu