0

For my php-login system combined with a MySQL database, I use a md5 - encryption to convert passwords when an user registers himself. Everything worked fine on a Windows-host, but now I've changed the host to Linux. Now, when I register a example user, with password "azerty", I couldn't login... When I trie to login with "qwerty" as password, it works. So it's like the md5 function read my keyboard as a qwerty keyboard instead as an azerty...

What can I do to solve this problem?

EDIT:

In the register script I do this:

$password = md5($password);

and then save $password to my database.

The loginscript checks on this:

if ($username == $dbusername && md5($password) == $dbpassword)
oezi
  • 51,017
  • 10
  • 98
  • 115
francisMi
  • 925
  • 3
  • 15
  • 31
  • 2
    Is this a hypothetical problem? There's no such thing as MD5 encryption. – ta.speot.is Sep 16 '11 at 13:43
  • 1
    Please show some example debug outputs. What does the password field actually contain before you MD5 it? Also show some code – Pekka Sep 16 '11 at 13:43
  • 4
    Are you sure you didn't just type the password in correctly? `Q` and `A` are pretty close to one another. – Dutchie432 Sep 16 '11 at 13:44
  • 1
    Please show some example debug outputs. What does the password field actually contain before you MD5 it? – Pekka Sep 16 '11 at 13:51
  • 4
    A 'q' is a 'q' and an 'a' is an 'a' no matter where it shows up on a keyboard. Rearranging my keys to turn my keyboard into a dvorak layout doesn't invalidate all my passwords just because I moved the plastic caps around. – Marc B Sep 16 '11 at 13:57
  • Going off what @todda.speot.is said, MD5 is a hash algorithm. Basically hashs are 1 way and can't be reversed, that doesn't mean you can't beat them though - check out the article Incognito gave you, and encryption is 2 ways - you can encrypt and decrypt. – Windle Sep 16 '11 at 15:00
  • Somebody's going around down-voting a bunch of Q&As. >:-( – Herbert Sep 16 '11 at 15:36

1 Answers1

1

It doesn’t matter that you switched hosts. If you can log in with “querty” then you must have inadvertently registered with “querty”

When you’re testing the system, use a normal <input type="text"> so you can see what you’re typing. Switch it <input type="password"> when you’re finished testing. Also, add a “verify password” field so you can verify that the user didn’t accidentally mistype her password.

Secure Password Storage Primer

Add a field to your users table called "salt"

In the register script do this:

$salt = time();
$code = hash('sha256', $password . $salt);

Save $code and $salt in the users table.

In the loginscript check this:

if ($username === $dbusername && hash('sha256', $password . $dbsalt) === $dbpassword)
Herbert
  • 5,698
  • 2
  • 26
  • 34