Subscribe to Coding Creatively   
-----

Converting from md5 to something more secure, without bugging your users.

Icon 1 Comments
Here's the situation: You've created a successful service with over 1000 loyal members. The problem is, you decided to use md5, a common but bad hashing algorithm, for passwords. Somehow you've made it this far without getting some users account hacked so you still have time to convert to something more secure. The only problem is, you don't want to tell your users about this. It may freak them out and make them worried about their information in the wrong hands.

The solution: It's simple, really. Everything will look all fine and dandy on the outside where the user logs in, but secretly, on the inside, we will be converting their passwords to a new format (sha512 for this tutorial).


Here is exactly how we can achieve this. What we are looking at is the page that handles the login form.
<?php
// Get variables
$username = $_POST['username'];
$password = $_POST['password'];

// Setup our connection to database
$mysqli = new mysqli("localhost", "username", "password", "database");

// Never trust anything from the user!
$username = $mysqli->real_escape_string($username);

// Setup out query
$sql = "SELECT * FROM users WHERE username='$username'";
$result = $mysqli->query($sql) or die("There was an error.");

if(!$result){
echo "That user does not exists";
} else {
$result = $result->fetch_object();
}

// Check for our password
$md5pass = md5($password);
$shapass = hash("SHA512", $password, false);

if($result->password == $shapass){
// User's pass has been updated and is correct with pass in database.
// Run whatever they needed to login for
echo "Thank you for logging in";
} else if($result->password == $md5pass){
// User is correct, but his password has not been updated
// Update his password
// No fancy spanshy result checking, because they can still login even if the update fails.
$mysqli->query("UPDATE users SET password='$shapass' WHERE username='$username'");
// Run your login stuff.
echo "Thank you for logging in";
} else {
// User's pass is incorrect.
echo "Wrong username/password";
}
?>




Boom, now when people login, the script will first of all make a sha512 version of the pass and an md5 version of the pass. If the sha version matches the one in the DB, the user must be updated and correct. If it matches the md5, than update the password to the sha version and login. If it doesn't match at all, the password must be incorrect. A simple solution for a big problem!

1 Comments On This Entry

Page 1 of 1

Asusultra Icon

24 May 2011 - 06:44 PM
Nice! A colleague of mine recently had this problem with an ASP.Net (C#) site. -He converted from SHA-1 to SHA-256 using, generally, that same method.

Proof technique can be language neutral.
0
Page 1 of 1

Trackbacks for this entry [ Trackback URL ]

There are no Trackbacks for this entry

Recent Entries

July 2014

S M T W T F S
  12345
6789101112
13141516171819
202122232425 26
2728293031