Salt Passwords | Forum | MemHT Portal

MemHT Portal is a Free PHP CMS and Blog

It permit the creation and the management online of websites with few and easy steps.
It's completelly customizable, expandable and suitable for all needs.

Site demo

Download MemHT Portal

Home > Forum > MemHT Portal > Suggest Features > Salt Passwords

Forum

IMPORTANT: Read THIS before posting your support question in the forum!

I'll be off-line until the second half of september, please do not insist asking support if there is nobody who can help you. The forum has the answers for almost all possible problems with MemHT Portal... use the search button and read documents! mem

Home > MemHT Portal > Suggest Features > Salt Passwords

Moderators: mem paulo89

Salt Passwords

Author

Text

hushar
Junior Member

Posts: 12
Gender: _NEUTRAL_

Online: No

Date: 25/03/2008 08:46
Salt Passwords

#post5197

In the past few days lots of websites have been “hacked” here in my country. Lots of databases has leaked out on the net and a lot of user-accounts have been compromised.

It doesn’t matter how strong security you have, a dark-minded “hacker” with the proper skills and motivation will be able to break into your system sooner or later.

So, i suggest mem to use-more secure protection to enhance security of this beautiful CMS.

Each user has a unique salt, and the only thing stored in the DB is the password_hash!

code

$salt = sha1("--".$row['signup_date']."--".$row['login']--");$password_hash = sha1("--".$salt."--".$password."--");

And then when they login:

code

$login = mysql_real_escape_string($_POST['login']);$sql = "SELECT signup_date, password, login FROM users WHERE login = '".$login."' LIMIT 1";   

$result = mysql_query($sql);   

$row = mysql_fetch_row($result);$salt = sha1("--".$row[1]."--".$row[3]."--");   

$password = sha1("--".$salt."--".$_POST['password']."--");   

if($password == $row[2]) {   

    $_SESSION['logged_in'] = "yes";   

}

This prevents the passwords from beeing cracked by so called rainbow-tables. And it also give’s a damn strong password hash.

So please implement it if it isnt there in this CMS..

Thank you,

PS: if it is already implemented then, pardon me, this is just a suggestion.

:)

Edited: 25/03/2008 08:46
Reason: Smiles OFF

mem
MemHT's Dad
Developer

Posts: 3209
Contributes: 366

Gender: _MALE_

Online: No

Languages: English, Italiano, Makedonski, Srpski, Un poco de Español

Date: 25/03/2008 11:10 Re: Salt Passwords	#post5204
Hi Probably those sites used to store their password without hashing it, but MemHT doesn't do that error MemHT Portal - Free PHP CMS and Blog ScripTips - Scripts & Tips "Great works are performed, not by strength, but by perseverance." Samuel Johnson