Hi,

I use login screen in my php page withoutp HTTPS. HTTP only.
I use SHA1 for password encription. What do you suggest me to do for best security practise when i check username and password from database for login process?

Thanks

Personally, I check the username, password, then record the IP, session id and any cookie id issued in my DB.

I then check the IP, session id and cookie id on every secured page access to ensure the session hasn't been hijacked, or fabricated (as I am on a shared server).

R.

Sha1 encryption. Personaly I like to take a more secure approach. Below are two hash functions which are way more secure:

function truehash($hashzzz) {
return hash('crc32b',hash('whirlpool',$hashzzz));
}
/* below hash function is more
   secure but takes more cpu.      */
function securehash($hashzzz) {
return hash('crc32b',substr(hash('whirlpool','asdf'.$hashzzz.'a'),64));
}

So try one of those to hash functions or something not in the ordinary. Also for site security, it is best if you don't place the password/hash inside a session.

Also when designing a login system, you will probably want a flood filter. That means that a computer can only have so many attempts to login then they will be blocked for an hour. And when designing that system, instead of using cookies or sessions, use databases and ip addresses. I have also heard that passwords are getting old, so maybe have a visual validation too. Example: A picture of an apple and the user needs to select apple from the menu.

That is all I can think of right now but would like to see peoples comments on this.

Also when designing a login system, you will probably want a flood filter. That means that a computer can only have so many attempts to login then they will be blocked for an hour. And when designing that system, instead of using cookies or sessions, use databases and ip addresses.

I like the idea of limiting the number of attempts made in an hour. In fact I'll add that to my login script tonight :) Just make sure to reset the attempts counter upon successful log in!

Thanks cwarn, i have copied you solution and will try when i have finished my web page and let you know.

For others, please keep posting to this thread.

I disagree with CAPTCHA on the login form. If a bot is trying to log into a site via a login form then that makes the assumption that the bot has already registered an accout or is attempting to brute force its way in.

On the login side of things, I favor flood protection (n number of login attempts) and letting the script sleep for a second or two during the login process. Just slowing the login process down for a second can discourage even the most persistent brute force attempts.

I read a good article on how to implement a very functional flood control solution, if I can remember where i'll post the link.

This article has been dead for over six months. Start a new discussion instead.