Case Senstivity of Password

-- lalit.tankala@... <lalit.tankala@...> wrote
(on Thursday, 03 April 2008, 03:14 AM -0700):

> I am currently authenticating using Zend_AUTH and using MYSQL database
> for authentication. The password is getting authenticated irrespective
> of whether the it is being written in upper case or lower case. I have
> not found any support for the same till now. I would be glad if anyone
> can help me in this regard.

MySQL typically is case insensitive for comparisons... which tells me
that you're likely storing the password in plain text. I'd advise that
you store the password using a hashed value, which will ensure that you
have case sensitivity (the hash will be different based on case), and
also prevent somebody from snooping your database to discover passwords.

--
Matthew Weier O'Phinney
PHP Developer            | matthew@...
Zend - The PHP Company   | http://www.zend.com/

> and also prevent somebody from snooping your database to discover passwords.

or at least you would make life for that somebody more difficult :-)

On Thu, Apr 3, 2008 at 4:18 PM, Matthew Weier O'Phinney <matthew@...> wrote:

-- lalit.tankala@... <lalit.tankala@...> wrote
(on Thursday, 03 April 2008, 03:14 AM -0700):

> I am currently authenticating using Zend_AUTH and using MYSQL database
> for authentication. The password is getting authenticated irrespective
> of whether the it is being written in upper case or lower case. I have
> not found any support for the same till now. I would be glad if anyone
> can help me in this regard.

MySQL typically is case insensitive for comparisons... which tells me
that you're likely storing the password in plain text. I'd advise that
you store the password using a hashed value, which will ensure that you
have case sensitivity (the hash will be different based on case), and
also prevent somebody from snooping your database to discover passwords.

--
Matthew Weier O'Phinney
PHP Developer            | matthew@...
Zend - The PHP Company   | http://www.zend.com/

--
Pagarbiai // Gruß,
Vladas Diržys
tel.: +370 620 69020 (Omnitel)
+370 677 17851 (Tele2)
www.dirzys.com

Frank Ruske wrote:

Hi,

of course salting the password is a must have.

 

You can easily apply that md5($pwd.$salt) salt proposal from Isaak to your Zend_auth_adapter the following way:

 

<?php

require_once 'Zend/Auth/Adapter/DbTable.php';

 

class MyAuthAdapter extends Zend_Auth_Adapter_DbTable

{

      public $authAdapter;

 

      public function __construct() {

           

            $db = Zend_Registry::get('db');

            parent::__construct($db);

           

            $this->setTableName('users');

            $this->setIdentityColumn('username');

            $this->setCredentialColumn('password');

            $this->setCredentialTreatment('MD5(CONCAT(?,salt))');

      }

}

?>

 

Look at method setCredentialTreatment().

You just need to save your salt and username in the same table (field salt in this example) and let Zend_Auth_Adapter_DbTable::setCredentialTreatment()

make the dirty work for you.

With setCredentialTreatment() you can pass a sql command to the DB auth adapter to match your password storing method.

 

Pretty cool isn't it? :)

 

If you need future help just ask.

 

Regards Frank Ruske

 

----------------------------------------------

 

Von: Isaak Malik [isooik@...]

Gesendet: Donnerstag, 3. April 2008 19:19

An: Vladas Diržys

Cc: fw-auth@...

Betreff: Re: [fw-auth] Case Senstivity of Password

 

A small addition to Matthews suggestion, when hashing passwords always make use of hash seeds to make it much harder to crack with dictionary and brute force attacks, example:

 

<?php

define('HASH', 'some secret text');

 

$password = md5('This iS tHe CAse SEnSiTive password'.HASH);

// Now you can safely store the password into the database

?>

On Thu, Apr 3, 2008 at 3:26 PM, Vladas Diržys vladas.dirzys@... wrote:

> and also prevent somebody from snooping your database to discover passwords.

or at least you would make life for that somebody more difficult :-)

 

On Thu, Apr 3, 2008 at 4:18 PM, Matthew Weier O'Phinney matthew@... wrote:

-- lalit.tankala@... lalit.tankala@... wrote

(on Thursday, 03 April 2008, 03:14 AM -0700):

> I am currently authenticating using Zend_AUTH and using MYSQL database

> for authentication. The password is getting authenticated irrespective

> of whether the it is being written in upper case or lower case. I have

> not found any support for the same till now. I would be glad if anyone

> can help me in this regard.

MySQL typically is case insensitive for comparisons... which tells me

that you're likely storing the password in plain text. I'd advise that

you store the password using a hashed value, which will ensure that you

have case sensitivity (the hash will be different based on case), and

also prevent somebody from snooping your database to discover passwords.

 

--

Matthew Weier O'Phinney

PHP Developer            | matthew@...

Zend - The PHP Company   | http://www.zend.com/

 

 

 

--

Pagarbiai // Gruß,

Vladas Diržys

tel.: +370 620 69020 (Omnitel)

+370 677 17851 (Tele2)

www.dirzys.com

In addition to the reply of Frank Ruske:

I wouldn't go for this method, your passwords will be safer from the attacks mentioned before however, storing the seeds in the database is the same as storing plain text passwords in the database, meaning if the hacker has access to the database he has access to every account.
What I meant was that you have a separate file containing the seed(s) and make it only readable to the root user or any other user which your web server runs as, this is more recommended than what Frank Ruske suggested as it adds one more layer of protection since the hacker would also need access to the file containing the seeds.

Notes:
- Put the php file containing the seeds outside the webroot tree
- Make the php file only readable to the user your web server runs as
- This method is completely Framework independent

 

Frank Ruske wrote:

Hi,

of course salting the password is a must have.

 

You can easily apply that md5($pwd.$salt) salt proposal from Isaak to your Zend_auth_adapter the following way:

 

<?php

require_once 'Zend/Auth/Adapter/DbTable.php';

 

class MyAuthAdapter extends Zend_Auth_Adapter_DbTable

{

      public $authAdapter;

 

      public function __construct() {

           

            $db = Zend_Registry::get('db');

            parent::__construct($db);

           

            $this->setTableName('users');

            $this->setIdentityColumn('username');

            $this->setCredentialColumn('password');

            $this->setCredentialTreatment('MD5(CONCAT(?,salt))');

      }

}

?>

 

Look at method setCredentialTreatment().

You just need to save your salt and username in the same table (field salt in this example) and let Zend_Auth_Adapter_DbTable::setCredentialTreatment()

make the dirty work for you.

With setCredentialTreatment() you can pass a sql command to the DB auth adapter to match your password storing method.

 

Pretty cool isn't it? :)

 

If you need future help just ask.

 

Regards Frank Ruske

 

----------------------------------------------

 

Von: Isaak Malik [isooik@...]

Gesendet: Donnerstag, 3. April 2008 19:19

An: Vladas Diržys

Cc: fw-auth@...

Betreff: Re: [fw-auth] Case Senstivity of Password

 

A small addition to Matthews suggestion, when hashing passwords always make use of hash seeds to make it much harder to crack with dictionary and brute force attacks, example:

 

<?php

define('HASH', 'some secret text');

 

$password = md5('This iS tHe CAse SEnSiTive password'.HASH);

// Now you can safely store the password into the database

?>

On Thu, Apr 3, 2008 at 3:26 PM, Vladas Diržys vladas.dirzys@... wrote:

> and also prevent somebody from snooping your database to discover passwords.

or at least you would make life for that somebody more difficult :-)

 

On Thu, Apr 3, 2008 at 4:18 PM, Matthew Weier O'Phinney matthew@... wrote:

-- lalit.tankala@... lalit.tankala@... wrote

(on Thursday, 03 April 2008, 03:14 AM -0700):

> I am currently authenticating using Zend_AUTH and using MYSQL database

> for authentication. The password is getting authenticated irrespective

> of whether the it is being written in upper case or lower case. I have

> not found any support for the same till now. I would be glad if anyone

> can help me in this regard.

MySQL typically is case insensitive for comparisons... which tells me

that you're likely storing the password in plain text. I'd advise that

you store the password using a hashed value, which will ensure that you

have case sensitivity (the hash will be different based on case), and

also prevent somebody from snooping your database to discover passwords.

 

--

Matthew Weier O'Phinney

PHP Developer            | matthew@...

Zend - The PHP Company   | http://www.zend.com/

 

 

 

--

Pagarbiai // Gruß,

Vladas Diržys

tel.: +370 620 69020 (Omnitel)

+370 677 17851 (Tele2)

www.dirzys.com

isooik@...

Of course Isaak Maliks proposal is the way to go if possible.
Storing the salts in the database is of course also a security risk anyhow in some situations it may be needed to store it this way and its of course NOT the same as
Storing plain passwords!
For example with a salt hashed PWD rainbowtables have a hard job to do.
Brutforcing works like with a normal md5 hash if you know the seed right.
All other comments from Isaak I have to agree.

Regards Frank

You can easily change that in my AuthAdapter proposal by adding the salt as a variable.
So my first proposal

$this->setCredentialTreatment('MD5(CONCAT(?,salt))');

becomes

$this->setCredentialTreatment('MD5(CONCAT(?,$salt))');

Where $salt is the salt of the user you like to verify and which has to be fetched from out of root before by adding more logic to your adapter.
And of course you have to sanitize $salt before using it :)

Von: Isaak Malik [mailto:isooik@...]

Gesendet: Freitag, 4. April 2008 15:44
An: lalit.tankala@...

Cc: fw-auth@...

Betreff: Re: AW: [fw-auth] Case Senstivity of Password

Actually, one mistake I made in my previous reply:

Making the file only readable to the root user will make it unreadable for your php scripts, therefor you should just take away the write rights and only root,  the owner and group should be able to read the seed file.
2008/4/4 Isaak Malik <isooik@...>:
In addition to the reply of Frank Ruske:

I wouldn't go for this method, your passwords will be safer from the attacks mentioned before however, storing the seeds in the database is the same as storing plain text passwords in the database, meaning if the hacker has access to the database he has access to every account.
What I meant was that you have a separate file containing the seed(s) and make it only readable to the root user or any other user which your web server runs as, this is more recommended than what Frank Ruske suggested as it adds one more layer of protection since the hacker would also need access to the file containing the seeds.

Notes:
- Put the php file containing the seeds outside the webroot tree
- Make the php file only readable to the user your web server runs as
- This method is completely Framework independent

 
Frank Ruske wrote:
Hi,
of course salting the password is a must have.
 
You can easily apply that md5($pwd.$salt) salt proposal from Isaak to your Zend_auth_adapter the following way:
 
<?php
require_once 'Zend/Auth/Adapter/DbTable.php';
 
class MyAuthAdapter extends Zend_Auth_Adapter_DbTable
{
      public $authAdapter;
 
      public function __construct() {
           
            $db = Zend_Registry::get('db');
            parent::__construct($db);
           
            $this->setTableName('users');
            $this->setIdentityColumn('username');
            $this->setCredentialColumn('password');
            $this->setCredentialTreatment('MD5(CONCAT(?,salt))');
      }
}
?>
 
Look at method setCredentialTreatment().
You just need to save your salt and username in the same table (field salt in this example) and let Zend_Auth_Adapter_DbTable::setCredentialTreatment()
make the dirty work for you.
With setCredentialTreatment() you can pass a sql command to the DB auth adapter to match your password storing method.
 
Pretty cool isn't it? :)
 
If you need future help just ask.
 
Regards Frank Ruske
 
----------------------------------------------
 
Von: Isaak Malik [mailto:isooik@...]
Gesendet: Donnerstag, 3. April 2008 19:19
An: Vladas Diržys
Cc: fw-auth@...
Betreff: Re: [fw-auth] Case Senstivity of Password
 
A small addition to Matthews suggestion, when hashing passwords always make use of hash seeds to make it much harder to crack with dictionary and brute force attacks, example:
 
<?php
define('HASH', 'some secret text');
 
$password = md5('This iS tHe CAse SEnSiTive password'.HASH);
// Now you can safely store the password into the database
?>
On Thu, Apr 3, 2008 at 3:26 PM, Vladas Diržys <vladas.dirzys@...> wrote:
> and also prevent somebody from snooping your database to discover passwords.
or at least you would make life for that somebody more difficult :-)
 
On Thu, Apr 3, 2008 at 4:18 PM, Matthew Weier O'Phinney <matthew@...> wrote:
-- lalit.tankala@... <lalit.tankala@...> wrote
(on Thursday, 03 April 2008, 03:14 AM -0700):
> I am currently authenticating using Zend_AUTH and using MYSQL database
> for authentication. The password is getting authenticated irrespective
> of whether the it is being written in upper case or lower case. I have
> not found any support for the same till now. I would be glad if anyone
> can help me in this regard.
MySQL typically is case insensitive for comparisons... which tells me
that you're likely storing the password in plain text. I'd advise that
you store the password using a hashed value, which will ensure that you
have case sensitivity (the hash will be different based on case), and
also prevent somebody from snooping your database to discover passwords.
 
--
Matthew Weier O'Phinney
PHP Developer            | matthew@...
Zend - The PHP Company   | http://www.zend.com/
 
 
 
--
Pagarbiai // Gruß,
Vladas Diržys
tel.: +370 620 69020 (Omnitel)
+370 677 17851 (Tele2)
www.dirzys.com



--
Isaak Malik
Web Developer
isooik@...