securing login credentials - salt tutorial
DESCRIPTION
Learn how to create secure logins by properly hashing passwords and using SALT.TRANSCRIPT
![Page 2: Securing Login Credentials - SALT Tutorial](https://reader036.vdocuments.net/reader036/viewer/2022081403/5549ad7bb4c905fa728b565b/html5/thumbnails/2.jpg)
Storing A User’s Password
Standard issue for having access to a site is a user’s password with an association to a username or email address.
BAD PRACTICE !!!!
www.prodigyview.com
![Page 3: Securing Login Credentials - SALT Tutorial](https://reader036.vdocuments.net/reader036/viewer/2022081403/5549ad7bb4c905fa728b565b/html5/thumbnails/3.jpg)
Storing Passwords in Plain Text
On the previous slide, the password was in plain text. THIS IS VERY BAD PRACTICE!
1. If the database is hacked/stolen, users account will be at risk.
2. The user’s information could be at risk from members of the internal organization
![Page 4: Securing Login Credentials - SALT Tutorial](https://reader036.vdocuments.net/reader036/viewer/2022081403/5549ad7bb4c905fa728b565b/html5/thumbnails/4.jpg)
MD5 HashingOne answer to solving the problem is MD5 hashing. Before the password is actually inserted in the database, hash it with md5.
![Page 5: Securing Login Credentials - SALT Tutorial](https://reader036.vdocuments.net/reader036/viewer/2022081403/5549ad7bb4c905fa728b565b/html5/thumbnails/5.jpg)
Problem with MD5 Hash
MD5 hashing is great, except for one small problem. There is a dictionary list of md5 hashes. Just Google the hashed code and see for yourself.
www.prodigyview.com
![Page 6: Securing Login Credentials - SALT Tutorial](https://reader036.vdocuments.net/reader036/viewer/2022081403/5549ad7bb4c905fa728b565b/html5/thumbnails/6.jpg)
Dictionary List and Attacks
A dictionary list is a library of hashed values and their corresponding unhashed strings.
In other words, it’s a way of decoding md5 hashed passwords.
A dictionary list can be built using other hashing algorithms such as sha1().
How do we get around this?
www.prodigyview.com
![Page 7: Securing Login Credentials - SALT Tutorial](https://reader036.vdocuments.net/reader036/viewer/2022081403/5549ad7bb4c905fa728b565b/html5/thumbnails/7.jpg)
SALT!Salt is adding a string of text as part of the encryption process. This can prevent basic dictionary list from being formed.
![Page 8: Securing Login Credentials - SALT Tutorial](https://reader036.vdocuments.net/reader036/viewer/2022081403/5549ad7bb4c905fa728b565b/html5/thumbnails/8.jpg)
Google the SALTed HashA Google search for the salted hash will give these results. This is what we want.
www.prodigyview.com
![Page 9: Securing Login Credentials - SALT Tutorial](https://reader036.vdocuments.net/reader036/viewer/2022081403/5549ad7bb4c905fa728b565b/html5/thumbnails/9.jpg)
A Small Problem with SALT
We are about to make things a little more complex. SALT is great because is HARD to make a dictionary list but NOT IMPOSSIBLE.
The way around this problem to find some way making a unique SALT for each user. Our next slide is one of many ways of making a unique SALT for extra security.
www.prodigyview.com
![Page 10: Securing Login Credentials - SALT Tutorial](https://reader036.vdocuments.net/reader036/viewer/2022081403/5549ad7bb4c905fa728b565b/html5/thumbnails/10.jpg)
Use Two IDsA user login’s with their email and password. For our salt to work, lets add in a third login field. Make each user have their own unique pin number that is required to login. The pin number will be the SALT.
![Page 11: Securing Login Credentials - SALT Tutorial](https://reader036.vdocuments.net/reader036/viewer/2022081403/5549ad7bb4c905fa728b565b/html5/thumbnails/11.jpg)
PHP CryptPHP has a function design for securing a user’s password. It will use standard Unix DES algorithm but can be configured to use others. The function also supports SALT.
http://php.net/manual/en/function.crypt.php
![Page 12: Securing Login Credentials - SALT Tutorial](https://reader036.vdocuments.net/reader036/viewer/2022081403/5549ad7bb4c905fa728b565b/html5/thumbnails/12.jpg)
www.prodigyview.com
More Tutorials
For more tutorials, please visit:
http://www.prodigyview.com/tutorials