17-02-2013, 11:03 PM -
You should see the login script for the Asuracake (yes, still working on that... just a lot less time with my fulltime job than expected).
Â
I'm trying to make that as secure as possible: on any site your password should be encrypted, but I'm taking this to another level: your password will get SHA1 encrypted, but that on it's own is not quite secure. You've got rainbow tables with all possible password values, a dictionairy if it were with hashed passwords. If we have 500 users, they'd simply look at which hashes match and which don't. They will have the password easily.
Â
So, we add a new value to it that is fixed to make these rainbow tables unusable with a value that is the same for every user. But then again, they can simply make a rainbow table with your fixed hash. This means that, if they have your secret value, they can still make a rainbow table, but only useable on your site... which is a lot of extra work. But simple enough: they just make a new rainbow table with the random value, which is almost as easy as the method above, but still a lot more secure.
Â
But I didn't stop there... I'm also adding a random value that will get added as well that is unique for every user. This is the dealbreaker: with those 500 users, in order to hack them, they would need to generate a rainbow table for EVERY user. So not 1 rainbow table like with the other methods, but 500 times... which is a TON of work. And it will also take a lot of processing power on your PC and a metric ton of time.
Â
So, the Asuracake will be quite secure in that way.
Â
You can test easily if a site is secure or if your password will be retrieved easily when they are hacked by requesting your password: if the site sends you your password by mail, it's highly insecure and they store your password in plain text! If you get a resetlink, you are safe.
Â
The actual register code for the asuracake is like this:
<pre class="_prettyXprint">
// Let's set up an array with all the required data we will need to post to the database
$data = array('firstname' => $this->input->post('firstname'),
'lastname' => $this->input->post('lastname'),
'email' => $this->input->post('email'),
'server' => $this->input->post('server'),
'race' => $this->input->post('race'),
'profession' => $this->input->post('profession'),
'activated' => 1,
'hash' => str_shuffle(md5(microtime())),
'password' => sha1(str_shuffle(md5(microtime())) . $this->input->post('password') . 'SUPERSECRETFIXEDVALUE'));
$query = $this->db->insert('customers', $data);
if ($query)
{
return true;
} else
{
return false;
}</pre>
Â
Just want to share some information about how our sites are being made
So, if you have any questions, just shoot!
Â
I'm trying to make that as secure as possible: on any site your password should be encrypted, but I'm taking this to another level: your password will get SHA1 encrypted, but that on it's own is not quite secure. You've got rainbow tables with all possible password values, a dictionairy if it were with hashed passwords. If we have 500 users, they'd simply look at which hashes match and which don't. They will have the password easily.
Â
So, we add a new value to it that is fixed to make these rainbow tables unusable with a value that is the same for every user. But then again, they can simply make a rainbow table with your fixed hash. This means that, if they have your secret value, they can still make a rainbow table, but only useable on your site... which is a lot of extra work. But simple enough: they just make a new rainbow table with the random value, which is almost as easy as the method above, but still a lot more secure.
Â
But I didn't stop there... I'm also adding a random value that will get added as well that is unique for every user. This is the dealbreaker: with those 500 users, in order to hack them, they would need to generate a rainbow table for EVERY user. So not 1 rainbow table like with the other methods, but 500 times... which is a TON of work. And it will also take a lot of processing power on your PC and a metric ton of time.
Â
So, the Asuracake will be quite secure in that way.
Â
You can test easily if a site is secure or if your password will be retrieved easily when they are hacked by requesting your password: if the site sends you your password by mail, it's highly insecure and they store your password in plain text! If you get a resetlink, you are safe.
Â
The actual register code for the asuracake is like this:
<pre class="_prettyXprint">
// Let's set up an array with all the required data we will need to post to the database
$data = array('firstname' => $this->input->post('firstname'),
'lastname' => $this->input->post('lastname'),
'email' => $this->input->post('email'),
'server' => $this->input->post('server'),
'race' => $this->input->post('race'),
'profession' => $this->input->post('profession'),
'activated' => 1,
'hash' => str_shuffle(md5(microtime())),
'password' => sha1(str_shuffle(md5(microtime())) . $this->input->post('password') . 'SUPERSECRETFIXEDVALUE'));
$query = $this->db->insert('customers', $data);
if ($query)
{
return true;
} else
{
return false;
}</pre>
Â
Just want to share some information about how our sites are being made
So, if you have any questions, just shoot!