• A Developers Guide to Storage and Manipulation of Passwords

    For many users, creating and entering passwords is an everyday occurrence. On today’s internet, very few services will allow access without some form of credential. Whether it’s internet banking or social networking, the user is required to enter a username and a password.

    Although passwords have a number of weaknesses when compared to alternative methods (such as One Time Tokens), they continue to be the most common form of authorisation. As a developer, it is highly likely that you will need to process and store passwords at some point

    The aim of this whitepaper is to look at the strengths and weaknesses of the various methods available. We will also look into the available methods of processing supplied credentials to establish whether to permit the user access to the system.

  • AutoAuth

    AutoAuth is a PHPCredLocker plugin providing a one-click login option for certain CredTypes. By providing the relevant form id's (presets are available), superadmins can configure a credential type to display a 'Log In' button for all associated credentials.

    AutoAuth is known to work with

    • CPanel/WHM
    • Webmin
    • WordPress
    • Drupal

    AutoAuth doesn't currently work with Joomla! as it requires a correct form token to be included in the request.

    You can see AutoAuth in action in the PHPCredLocker demo.

    See below for the Plugin's README

     

  • Implementing Secure Password Storage with PHPCredlocker and a Raspberry Pi

    Password storage can be a sensitive business, but no matter whether you're using PHPCredlocker or KeePassX, dedicated hardware is best. The more isolated your password storage solution, the less likely it is that unauthorised access can be obtained.

    Of course, dedicated hardware can quickly become expensive. Whilst it might be ideal in terms of security, who can afford to Colo a server just to store their passwords? A VPS is a trade-off - anyone with access to the hypervisor could potentially grab your encryption keys from memory (or the back-end storage).

    To try and reduce the cost, whilst maintaining the security ideal of having dedicated hardware, I set out to get PHPCredlocker running on a Raspberry Pi.

    This documentation details how to build the system, a Raspberry Pi Model B+ was used, but the B should be fine too

  • Introducing PHPCredLocker Version 1

    For a little while now, I've been working on a small PHP based project designed to store passwords securely. After a lot of testing, bug-hunting and fixing, PHPCredLocker has reached version 1.

    Designed to prefer security over convenience, the system takes every step it can to protect stored credentials. Depending on the version of PHP you are running, passwords will be encrypted with either OpenSSL or MCrypt. A different key is used for each credential type (think FTP password vs Joomla password) and the database has been designed to be as unhelpful as possible to any miscreant who should manage to get a database dump.

    I'm not an interface designer, so the template is very basic, but PHPCredLocker has been designed so that you can adjust and override as necessary (modules and views can be overridden, and templates are easy to create).

     

  • Republished: Why you should never share Login Details

    Originally published on Benscomputer.no-ip.org Aug 2009.

     

    Anyone who works in IT in any form knows the headache, despite signing to say they wont, users insist on sharing their login details with everyone! Whether it's because someone else can't remember their own username or simply because it's easier than logging out.

    On occassion it happens because the user didn't lock their desktop before walking away, and someone else happens to need to use a PC 'quickly.'

    We all know it, users just don't care about security. Why should they? It's 'Your' network to look after, not theirs. This article is aimed at that particular group to try and highlight exactly why they should care.

     

  • Resetting MySQL Admin Users Password when Forgotten

    It happens to the best of us, you set a password a long time ago and just cannot remember what it was!. This Documentation will talk you through the process of resetting the admin users password on MySQL

     

  • The Importance of Changing Default Passwords

    In today’s connected world, passwords are absolutely everywhere. We are constantly asked to
    create new passwords, whether for a Facebook account, financial management systems or a new
    router.


    Whilst new accounts seldom come with a default password, many devices do ship with a generic
    username and password. Despite wide awareness of the importance of password control, many
    people still fail to change these default passwords.

     

  • The Importance of Salting Stored Passwords And How To Do So Correctly

    Many will have watched the recent releases of user passwords from Sony (and others) with interest. A lot of people, won't however, realise why Sony's practises were so poor. For many, storing passwords means just that, purely because they aren't aware of the methods available to make it a lot harder for an attacker to gain access to users passwords.

    Whilst network security obviously plays a very important part, even when that fails it should be almost impossible for an attacker to tell you what your password was based on nothing but a database dump. In this short post we'll examine exactly how passwords should be handled and stored in a database.

  • Understanding Password Storage

    I occasionally receive emails from people who have come across PHPCredlocker, and the question is usually the same - "Why are you storing passwords using reversible encryption?". Most emails are polite, some not so much, but they all have one thing in common - assuming that a commonly stated fact applies to all scenarios, and failing to apply a bit of simple logic that would tell them the answer - because that's the only way the system would work.

    In this post, we'll be briefly looking at some of the ways in which you can store credentials, and which of them are appropriate to use (and when), in the context of building an application (web or otherwise).

  • Why You Shouldn't be using SHA1 or MD5 to Store Passwords

    There are a lot of badly coded sites out there, and far too many sites still seem to be falling prey to SQL Injection vulnerabilities resulting in a lot of high profile leaks of user data.

    I wrote quite some time ago on The Importance of Salting Stored Passwords And How To Do So Correctly, but whilst the underlying message remains correct, the techniques for doing so have been outpaced by technology.

    Although still widely used, checksum algorithms such as SHA1 and MD5 are no longer sufficiently secure.

    In this post we'll be exploring why you shouldn't be using MD5/SHA1 and how you should be storing passwords.