SeanBluestone.com » PHP

The Developers and Programmers Passwords 101

Wed, 03 Feb 2010 16:09:25 +0000

If you’ve ever designed a user registration script, a membership site or any script that creates or stores user passwords, there are some practices which every good developer should be aware of. While most small scale applications are not in danger of being targeted by anyone with malicious intent (simply due to the fact that they don’t have enough user accounts to make a blip on the radar), there is a point in the life of any good script whereby it becomes large enough that people can and will target your password list and security will become an issue. By implementing a few simple measures and understanding how password security is compromised you can limit the possibility of your password list being compromised and minimize the potential damage caused.

1. Hash & Salt

One of the most commonly committed cardinal sins of password storage is plain text- that is, storing passwords in plain text. This is frightfully common and I even remember one shocking instance of a fairly popular web application storing password and username combinations in a .txt file. Storing passwords in plain text is not only lazy, it’s a huge security risk. The most common method of storing usernames and passwords is within a MySQL table via PHP. This article explains the fundamentals of password hashing in such a setup, how it works, why it works and how easy it is to implement.

But, in a nutshell, hashing is the process of performing a one way algorithm on a user-supplied password so you can store it as a value which is useless by itself. Any potential hacker would also need to know your local hashing algorithm before they stood even a chance of brute forcing their way in to that account. Furthermore, brute force and dictionary attacks can also overcome by the simple salting method whereby you generate a unique salt for each password locally and store this with the hashed password.

The article linked provides PHP code to hash, salt and store passwords in a secure manner and provides much more information than I could hope to.

2. Passwords Will Be As Secure As You Require Them To Be

People are like lightning; they take the path of least resistance. In the realm of passwords, this means people will magnetize towards the shortest and most easy to remember possibility. In short, what this means is that if you have no restriction on the number of characters or types of characters allowed in your passwords, you will end up with passwords like ‘abc’, ’123′, ‘password’ and ‘secret’. This is not an exaggeration for dramatic effect, people will actually choose and use these types of passwords.

By enforcing some, if not all, of the restrictions below you can ensure the security of your password list will greatly increase:

Minimum character length. Require at least 8 characters. It is generally accepted and confirmed that 8 characters is the minimum required to generate a secure password. You may be scared to enforce long passwords in the fear that people will simply not sign up, but this is a misguided fear. If someone wants to sign up for your site the password field requiring an extra 2 characters on top of their existing password is an unlikely deterrent.

Other password enforcement policies should include:

Password must contain characters and numbers.
Password must contain uppercase and lowercase characters.
Password must contain at least 1 symbol (outwith a-Z 0-9).
Password must not be based on a dictionary word.

The Password Meter is an excellent resource to test the strength of a password while having a look at how it’s being analyzed. The script is free to download for use with your own applications. While there are pros and cons of making password strength a requirement, there is absolutely no reason not to show strength to the user in a system like this.

As a side note, never require passwords to be too strong. An 8 character password that someone remembers is much more secure than a 16 character password which has to be written down or saved on a desktop (and is therefor susceptible to being hijacked).

3. Retrieval/Reset Mechanisms

Password retrieval is part of password management which, in the field, commonly has vulnerabilities and programmer induced pitfalls. The most common mistake made, bar none, is to send out the users current password upon request. I.e. the user forgets password, clicks the ‘forgotten password’ link and enters their email. The script sends out a copy of their password via email and they get access to their account again. The problem here lies in the fact that hashing is one way. If you store the users password as a hashed value there is no way to send out a plain text version.

Therefor, any site or service you are registered with which sends you a copy of your existing password upon request is not maintaining your password securely. This is a useful tip to know, especially if you are using the same password on more than one site.

Instead, when someone clicks ‘forgot password’ and enters their email, the savvy programmer will have his script generate a new password, send it to the specified email, then store it in his database using hash & salt. This means the user will need to take the extra step of changing their password to something memorable again, but vastly improves the security of your password system and keeps the user safe.

4. Lockout Mechanism

An importantly overlooked part of maintaining a secure password system is having a lockout mechanism. This is a system whereby someone can report their account as hijacked or compromised which, upon review, will be temporarily locked. This prevents compromised accounts being used for malicious purposes. For example if someone gets access to Mrs Bloggs account, logs in as her and sends a message to Mr Blogg asking for his email address password or bank account details so she can “make a payment to the Jones’ next door” (better thought out rouges involving other personal info have been used successfully in the field). It’s uncommon, but it does happen and having a lockout mechanism limits damage caused and protects your users from each other.

An additional lockout mechanism which virtually negates the possibility of brute force attacks is password lockout. Include a simple script to count login attempts. If there are more than 3 failed login attempts, per minute for example, then lockout login attempts for that account for an hour. This makes it very unlikely for dictionary or brute force attacks to succeed and/or go unnoticed.

Passwords are as secure as you require them to be.

Bash.org Clone PHP Script for IRC Quotes

Mon, 27 Jul 2009 10:34:43 +0000

Having had a few hours free last night and being part of a rather quirky IRC server I decided to code up a clone of Bash.org’s quote database system. My script replicates and clones bash.org almost entirely and has the following features:

Stores an almost infinite number of quotes or comments.
Allows users to rate comments up or down and has minimal duplicate voting protection.
Optional captcha system on ‘add a quote’ page.
Search, Random, Browse & Other Bash.org features.
Admin/moderation option to delete quotes.

The script is also surprisingly simple and is all contained within one file. After running the SQL within that file you can drag and drop it into anywhere on your server and it will work immediately.

You can see a demo of it in action here (be warned: this section of the site is NOT safe for work and contains offensive material).

You can download the IRC quotes database script here. To install simply run the SQL statements within the php file in MySQL, edit the settings and upload. It’s extremely simple to setup and use and you can customize the look, feel and layout all from the .php file.

If you use this script on your site please let me know and I’ll put up a link to you here or leave a comment with your URL. Feel free to remove the ‘powered by’ but if you do, please consider making a small donation to make it worth my while.

PHP Jokes and Puns

Fri, 24 Jul 2009 21:58:09 +0000

For no specific reason whatsoever, here are a collection of PHP Jokes and puns. Most of which are terrible.

Q: Why do PHP programmers dislike ASP programmers?
A: ASP programmers only write basic code.

if($girl['looks'] == "hot"){
if($beer == "cold"){
$life = "Sorted!";
}elseif(function_exists($girl_get_beer) == true){
if(msg_send ($girl['job_que'], 1, 'Get me a beer out of the fridge!') === false){
$life = "Get a new girl!";
}
}else{
array_push($girl['functions'], 'get_beer');
}
}else{
$life = "Get a new girl!";
}
echo $life;

Q: Why is PHP freddy krugers language of choice?
A: addslashes();

What did the PHP script say to the server?
Pass me a bottle of water, I’m parsed.

if(crack_check($woman, $dirty)) { ob_clean(); link("/home/me", "home/her"); }
?>

Yo mamma so easy, PHP developers confuse her with Ruby on Rails.
Your momma so fat I called her and got a stack overflow.
Your momma’s so fat, she needs preg_replace() just to make her fit in a page.

How to Use Akismet in Your Own Plugins and Applications

Sean — Fri, 07 Nov 2008 18:51:12 +0000

Akismet, for those who don’t know, is an excellent and free plugin which comes installed and activated with each copy of WordPress. When activated, all comments submitted to your blog will pass through Akismets database which checks to see if the comment is recognized as spam. If so the comment is held in a moderation queue for you to check or delete. It’s very useful because if a spam message gets through then you can click ‘spam’ to delete it. Akismet learns from your selection and the next time a similar message is submitted on anyones blog it will likely be treated as spam.

A question I commonly see in the WordPress forums is Can I use Akismet in my own program? and the main benefit is that Akismet isn’t just restricted to WordPress, it can be used in third party plugins or applications. This is excellent if you’re creating or modifying an existing PHP script and it’s likely to be hit by spam. I recently developed a WordPress Link Directory plugin which, like all link directories, suffers from spam problems. In newer versions I offer Akismet and CAPTCHA as two solutions to this problem. If Akismet is chosen, all submitted links are checked against Akismet to see if they are spam and rejected or approved accordingly.

So how do you use Akismet in your own WordPress plugin? It’s very simple. First of all you need to download an Akismet PHP class from this page. A good choice is the PHP 5 class which includes a good document on how to use it. But here are the basic steps using WordPress Link Directory as an example.

First I check to see if the user has set the Use Akismet option to Yes and if so include the Akismet.class.php file:

[sourcecode language="php"]if(get_option(‘wplinkdir_akismet_use’)==’Yes’){
include ‘Akismet.class.php’;[/sourcecode]

If so then I initiate a new Akismet class with whichever domain name the plugin is being used on (by getting the siteurl and Akismet key options. I also check that the key is valid before I initiate the Akismet class:

[sourcecode language="php"] $Key=get_option(‘wplinkdir_akismet_key’);
$SiteURL=get_option(‘siteurl’);

if(!$akismet->isKeyValid($Key)) {
echo “The Akismet key you supplied doesn’t appear to be valid. We cannot use Akismet without a key.”;
}else{
$akismet = new Akismet($SiteURL,$Key);[/sourcecode]

If the key is valid I collect the values I want to check. Normally you would run some safety functions on these $_POST variables like mysql_real_escape_string() etc, but in this case WordPress does this automatically. Once I have these values I set them as the Akismet equivalent values:

$name=$_POST['entry_name'];
[sourcecode language="php"] $email=$_POST['entry_email'];
$url=$_POST['entry_url'];
$description=$_POST['entry_description'];

$akismet->setCommentAuthor($name);
$akismet->setCommentAuthorEmail($email);
$akismet->setCommentAuthorURL($url);
$akismet->setCommentContent($description);[/sourcecode]

Finally all I need to do is run the values through Akismet and check if they are seen as spam or not. I’ve excluded some unrelevant code here but basically if it’s spam we put it in the pending links section for someone to check or delete and if it passes OK we add it straight away:

[sourcecode language="php"] if($akismet->isCommentSpam()){
echo ‘Thanks for adding your site, it will be checked by an admin soon to make sure it is appropriate.’;
}else{
echo ‘Thanks for adding your site. Your link has been added!’;
}
}
}[/sourcecode]

This can be done with virtually any content handled by your plugin or script and Akismet is very good at handling huge amounts of data, so you don’t need to worry. If your script allowed the user to send text messages for example, you would use the text message itself in setCommentContent(); and set the name and email while not setting the setCommentAuthorURL(); at all.

The only thing you need to use Akismet in your own program is an API. You can get one by signing up for WordPress.com (it will be emailed to you). This page has more information.

Find the pagerank of any page, site or URL using PHP

Sean — Wed, 29 Oct 2008 00:24:26 +0000

This is a set of simple functions to find the Google pagerank of any page or site. It basically pretends to be a web browser using the Google toolbar which displays the pagerank to the user.

function StrToNum($Str, $Check, $Magic){ $Int32Unit = 4294967296; // 2^32


	$length = strlen($Str);

	for ($i = 0; $i < $length; $i++) {

		$Check *= $Magic;

		// If the float is beyond the boundaries of integer (usually +/- 2.15e+9 = 2^31),

		// the result of converting to integer is undefined

		// refer to http://www.php.net/manual/en/language.types.integer.php

		if ($Check >= $Int32Unit) {

			$Check = ($Check - $Int32Unit * (int) ($Check / $Int32Unit));

			//if the check less than -2^31

			$Check = ($Check < -2147483648) ? ($Check + $Int32Unit) : $Check;

		}

		$Check += ord($Str{$i});

	}

	return $Check;

}
// Genearate a hash for a url
function HashURL($String){

	$Check1 = StrToNum($String, 0x1505, 0x21);

	$Check2 = StrToNum($String, 0, 0x1003F);
	$Check1>>=2;

	$Check1=(($Check1 >> 4) & 0x3FFFFC0 ) | ($Check1 & 0x3F);

	$Check1=(($Check1 >> 4) & 0x3FFC00 ) | ($Check1 & 0x3FF);

	$Check1=(($Check1 >> 4) & 0x3C000 ) | ($Check1 & 0x3FFF);	
	$T1 = (((($Check1 & 0x3C0) << 4) | ($Check1 & 0x3C)) <<2 ) | ($Check2 & 0xF0F );

	$T2 = (((($Check1 & 0xFFFFC000) << 4) | ($Check1 & 0x3C00)) << 0xA) | ($Check2 & 0xF0F0000 );
	return ($T1 | $T2);

}
// genearate a checksum for the hash string
function CheckHash($Hashnum){

	$CheckByte=0;

	$Flag=0;
	$HashStr=sprintf('%u', $Hashnum);

	$length=strlen($HashStr);
	for($i=$length-1; $i>=0; $i--) {

		$Re=$HashStr{$i};

		if(1===($Flag % 2)){

			$Re+=$Re;

			$Re=(int)($Re/10)+($Re%10);

		}

		$CheckByte+=$Re;

		$Flag++;

	}
	$CheckByte %= 10;

	if (0 !== $CheckByte){

		$CheckByte=10-$CheckByte;

		if (1 === ($Flag % 2) ) {

			if (1 === ($CheckByte % 2)) {

				$CheckByte += 9;

			}

			$CheckByte >>= 1;

		}

	}
	return '7'.$CheckByte.$HashStr;

}
function getpagerank($url){
	$fp = fsockopen("toolbarqueries.google.com", 80, $errno, $errstr, 30);

	if(!$fp){

		echo "$errstr ($errno)
\n";

	}else{

		$out="GET /search?client=navclient-auto&ch=".CheckHash(HashURL($url))."&features=Rank&q=info:".$url."&num=100&filter=0 HTTP/1.1\r\n";

		$out.="Host: toolbarqueries.google.com\r\n";

		$out.="User-Agent: Mozilla/4.0 (compatible; GoogleToolbar 2.0.114-big; Windows XP 5.1)\r\n";

		$out.="Connection: Close\r\n\r\n";
		fwrite($fp, $out);

while(!feof($fp)){ $data=fgets($fp, 128); $pos=strpos($data, "Rank_"); if($pos===false){} else{ $pagerank = substr($data, $pos + 9); return $pagerank; } } fclose($fp); } }

You can make calls to it like this:

getpagerank('http://www.google.com');

You can also use this stylesheet which excludes the need for pagerank image icons (though you could use image files if you wished):

<STYLE> div.pr { font-size: 6pt; color: #000000; float: left; height: 30px; margin-right: 5px; } div.prg { width: 40px; border: 1px solid #999999; height: 3px; font-size: 1px; } div.prb { background: #5eaa5e; height: 3px; font-size: 1px; } </STYLE>

To use PHP to display the pagerank of a site you would use:

$url='http://www.seanbluestone.com'; $Pagerank=getpagerank('http://www.seanbluestone.com'); $Width=$PR*4; echo '<div class="pr">PR: '.$Pagerank.'<div class="prg"><div class="prb" style="width: '.$Width.'px"></div></div> '.$url;

This would display the pagerank of the page like this:

PR: 3

SeanBluestone.com

One thing to note is that if you make too many calls to this within a short period of time from the same domain it will block you, so if you’re using it for a link directory or something like that make sure it caches.