slarson20 Posted September 15, 2011 Share Posted September 15, 2011 I'm making the password field have these restrictions: Length >= 8 That's it. I then use javascript to md5 the value of that text field, then I send it using ajax to the php script to process the signup. Is it bad not to have a max length, or does this way work. Any suggestions? Quote Link to comment Share on other sites More sharing options...
xyph Posted September 15, 2011 Share Posted September 15, 2011 Max length doesn't matter as far as storage is concerned, as you'll be md5'ing the value, which outputs a fixed length string. I suggest performing some sort of server-side verification though, as you can't trust values that come from the client. This becomes tricky if you've already hashed the value. You probably want to apply a salt the hash that gets sent to your PHP script and re-hash. This will prevent rainbow table attacks if someone manages to steal your database contents Quote Link to comment Share on other sites More sharing options...
slarson20 Posted September 15, 2011 Author Share Posted September 15, 2011 Thanks for the reply. Salt the hash? Also, I am checking this server side to make sure its safe to query. The main question is: Is not setting a max for a password field a bad ideal even if storage ain't a problem because I'm md5ing it. Basically Question 1: Salt the hash? lmao im lost Question 2: As long as you make sure the md5 received on the server side is safe, is this a good way to handle passwords. I don't want to limit how long someones password can be when it doesn't affect my end because it is 32 characters regardless. I believe the less restrictions you can give the user the better, even if you think they don't need the extra space or whatever, as long as it doesn't affect security or functionality. Quote Link to comment Share on other sites More sharing options...
xyph Posted September 15, 2011 Share Posted September 15, 2011 1. http://phpsec.org/articles/2005/password-hashing.html touches on salting at the end of the article. It's a way to prevent rainbow-table attacks on your hashed passwords, and to prevent dictionary password from being cracked in seconds. 2. Keep in mind anyone who can listen in on the requests can simply use the md5 of the password in place of the password. Sure, the attacker may never know what the plain text password is, but they still have full access to the account by sending the hashed value and username to your login script. If you want to effectively use client-side hashing to provide more security for your script, you'll have to design a Challenge-Response system. Keep in mind this method is unnecessary when using SSL/TSL, as that handles encryption of traffic between the server and client for you. Here's a neat implementation of a C-R system using PHP and AJAX http://unitstep.net/blog/2008/04/28/password-salting-and-the-modified-challenge-response-system/ Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.