|
|
Posted by Jeremy Deuel on 02/17/06 09:31
Just an Idea:
In PHP, passwords for different purposes often are stored plaintext in
the source. I often wondered, how this could be prevented.
So if you have a web-project, that is access-restricted, try the
following workaround:
include this snippet into your web-project:
function polyalph_encrypt($original, $key = FALSE) {
if (!$key) $key = $_SESSION["passphrase"]; // The access-key
//Make the key longer, if needed
$i = round( strlen($original)/strlen($key) );
for ($j=0;$j<$i;$j++)
$key .= $key;
$result = "";
for ($i = 0; $i < strlen($original); $i++) {
$sigma = 94 + ord( $original{$i} ) + ord( $key{$i} ) - 64;
$result .= chr ( fmod ( $sigma, 94 ) + 32 );
}
return $result;
}
function polyalph_decrypt($secret, $key = FALSE) {
if (!$key) $key = $_SESSION["passphrase"]; // The access-key
//Make the key longer if needed
$i = round( strlen($secret)/strlen($key) );
for ($j=0;$j<$i;$j++)
$key .= $key;
$result = "";
for ($i = 0; $i < strlen($secret; $i++) {
$sigma = 94 + ord( $secret{$i} ) - ord ( $key{$i} );
$result .= chr ( fmod ( $sigma, 94 ) + 32 );
}
return $result;
}
Of course, this will only function with ascii-passwords, but for most of
us, this should be enough. So with this trick, the encrypted passwords
can only be successfully decrypted, if the user enters the right
master-password (= Access-password).
Well, it is a little tricky and not 100% safe (as everything is):
- It wouldn't be a good idea to check the validity of the
access-password in plaintext. Instead try the following:
if ($_POST["user"] == "YOURUSERNAME" && sha1($_POST["password"]) ==
"YOUR SHA1-HASHED PASSWORD")
$_SESSION["passphrase"] = $_POST["password"]
- of course this is only half-way safe if you have all more or less
"random" passwords.
- And in the end it can only prevent foolish webmasters from spying out
your database-passwords. But of course, the master-password is stored in
plaintext in the $_SESSION variable and this means it is also avaible in
plaintext somewhere on the computer.
jeremy
Navigation:
[Reply to this message]
|