-1

I'm making a system which need password to enter and now my plan is make a form with only password input (since I only need on password) and then use post to authentic the password then update PHP session to logged_in but I know that the value won't show on post method but I don't really know is that secure and since it's a HTML form I don't know is there any way to encrypt/hash the input, though I have HTTPS connection and also forcing it I don't know will the password be hacked and is my method Secure

Andrew
  • 83
  • 1
  • 1
  • 10
  • If the form is submitted via https, you do not need any more steps to be safe (enough). Just read it from `$_POST` and match against the db. Otherwise, please elaborate why this is not secure enough – kero May 16 '17 at 09:25
  • I'm asking b/c though I use HTTPS I'm not sure if attacker can access the data I send via POST method – Andrew May 16 '17 at 09:50
  • Which attacker? For most use-cases, https will do just fine. If you have super special, extremely sensitive data, you can reconsider. Also have you thought about implementing two factor authentication (eg via Auth app on the smartphone)? Then it wouldn't matter if an attacker accessed the password or not – kero May 16 '17 at 09:54
  • Thanks The data I'm protecting may contain some personal data and I'll go to find some code for two factor authentication – Andrew May 16 '17 at 09:55

1 Answers1

0

If you want to be as safe as possible here is what I suggest :

Hash the password a first time in javascript using this : https://github.com/emn178/js-sha256/blob/master/src/sha256.js

The password has to be sent through an https connection of course.

On server-side when you receive the password, hash it again in sha256 (or another algorithm, it doesn't matter, but sha256 is safe and relatively fast to compute) and compare it with a local file containing the password hashed 2 times

To recap : hash in javascript -> send through https -> hash on the server -> compare with the local file containing the double-hash

The hash in javascript is just here because if a potential attacker performs a MITM, he will be able (under some conditions) to see the hash but not the original password, so even if he will be able to authenticate on your service with that hash, he will not be able to retrieve the real password (which might be used on other websites/services)

Moreover if you're being paranoiac, you can salt your password to prevent any bruteforce using rainbow tables

ShellCode
  • 1,072
  • 8
  • 17
  • But in this case will the attacker see the script and find out our hash algorithm than crack it? – Andrew May 16 '17 at 11:03
  • You can't crack an hash algorithm, it's a one-way function, you can just bruteforce it – ShellCode May 16 '17 at 11:04
  • So, If you hash the password somebody may attack and know the hash and may be able to login to my service by that hash but not knowing the real password, if yes I want to announce that in this case my service may contain personal information and I wanted to be full secure. So if I use hash and custom salt even the attacker get the hash which was generate by both sha256 and custom salt the attacker can't authentic the service by that hash right. Since the password for authentic won't be used in other service so my main mission is to promise that the attacker can't authentic in any way. – Andrew May 16 '17 at 11:18
  • I think you are misunderstanding what a hash is, a hash can't be revert ! So if you compare the hash server side, even if the attacker has the hash he will not be able to log in ( https://en.wikipedia.org/wiki/Cryptographic_hash_function ) – ShellCode May 16 '17 at 11:32
  • But you said the attacker can authentic by the hash he get without getting the real password so I want to make sure there isn't any possibility to authentic neither he know the real password or only the hash if I misunderstood anything please point out since I'm a starter on security part – Andrew May 16 '17 at 11:50
  • Don't worry, if you're using an HTTPS connection with pinned certificate there is no way the attacker can intercept the password with a MITM attack, but if he gets the password by putting a gun on your head, sorry but you can't do anything ^^ – ShellCode May 16 '17 at 12:04
  • Thx, I go back and try to code it the hash system works well but I stuck on the point which **how to hash first then post** since when we click submit button the HTML form will automatic post the value how can we set to when user click submit it hash the password first then post – Andrew May 17 '17 at 09:27
  • Try this : http://stackoverflow.com/questions/6912197/change-value-of-input-then-submit-form-in-javascript – ShellCode May 17 '17 at 09:41
  • Could you tell me why we use SHA-256 **hash** instead of AES **encryption** ? – Andrew May 18 '17 at 08:43
  • It's two different things, when you hash a password, you can't retrieve the password from the hash. AES is a symmetric encryption, which means that with a key you are able to encrypt the password and decrypt it, but if you're able to decrypt it, so is a potential attacker, that's why when you have to store password, you use hashes, because it's NOT reversible – ShellCode May 18 '17 at 09:37