Reputation: 519
Passwords with simple if statement
I apologize if this is a duplicate, I tried searching for this and haven't found exactly what I'm looking for.
Ok so let's say I have a code like this
<?php
$user = $_POST['username'];
$pass = $_POST['password'];
if ($user == "admin" && $pass == "password")
{
echo "Password correct";
}
else
{
echo "Password incorrect";
}
?>
How effective would this method of username/password validation be? I know it's not the best way to do this but why not? How exactly could someone hack this?
I've seen some example's like this
<?php
$user = $_POST['username'];
$pass = $_POST['password'];
if ($user == "admin" && $pass == "password")
{
include "correct.html";
}
else
{
echo "Password incorrect";
}
?>
But I know that would be worse since someone could just directly access the "correct.html" file and bypass the initial security check. However by using echo would they be able to go around the username/password check?
Upvotes: 1
Views: 2698
Answers (1)
Reputation: 22770
Do not do this. Never compare the password as a plain text value.
There are a large number of ways people can hack into the various systems (Db, PHP , etc) that support your code, the point to password hashing is that IF your database contents are shared then your database users can not be broken into.
if your password is a hard coded value it can not be changed except manually.
If your password is a hard coded value and your file is somehow copied/downloaded or similar then this can be shared and leaked (Although in this situation this will be lower down your concern lists, to be honest).
If the password is saved in a database it needs to be hashed. Please read about http://php.net/manual/en/function.password-hash.php Password Hashing as it's a useful PHP function in PHP5
What you are displaying is the actual very probably the worst way of authenticating a user.
Google your question and you will find a wealth of better descriptions of why you should never keep passwords as plain text values.
WHY
Why encrypt passwords? Because people are stupid, people who can choose their own passwords on sites such as facebook, google+, hotmail, gmail etc etc etc etc. will not usually choose "F45G5N__lksZX112b" as their passwords, instead choosing something that they can (and therefore others can) easily remember such as "foxtrot69" , etc.
People will also very rarely use different passwords for different logins, people may use different variations on the same password -- "Foxtrot69", for instance.
What this means, is that if you give away peoples password to your website, in a plain text format, through an SQL hack or similar method, say you have 2000 rows stolen, that's 2000 passwords, and with other information such as an email address, or name / postal address, it becomes exponentially easier for the hacker/attacker to then use the details to try and hack into that persons other online accounts,
for example:
User 1 of 2000:
name: Bob Dimond
email: [email protected]
password: rubmeup11
address: duke Town, illanois
With this hacked, the hacker/attacker can then try the username and password to log into their gmail account, this may fail, perhaps their gmail account password is rubmeup69 , but they may also have a hotmail account [email protected] with that password. Then gmail will say on the forgotten password routine, "send password to an alternative address" which could be the hotmail address, and so without even knowning the gmail password text, the attacker has circumvented the security because of your failure to encrypt your users details.
Once into him gmail account, the hacker can then login and get reset passwords for everything, facebook, soundcloud, etc etc etc.
With 2000 stolen account details (suppose) the success of this method of cross validation is something around 7-9% but some reports I read a while ago mentioned it can be as high as ~17% if they have scripts to hack email log ins with similar text passwords such as
attempt 1 = rubmeup11
attempt 2 = RubmeUp11
attempt 3 = RubMeUp11
attempt 4 = rubmeup12
...
Which can therefore be your failure leads to compromise of maybe 200-250 of your 2000 users.
The above example is a simplification but you should see the methodology that giving hackers a proven starting point with passwords really, really cuts down their time expenses in cracking into breached users accounts on other systems
THIS IS WHY YOU SHOULD ALWAYS ENCRYPT YOUR PASSWORDS
Upvotes: 1
Related Questions
- Making a password secure
- PHP Password Verification is being Bypassed
- Simple password validation in PHP
- Please someone help me to see if my code is enough to protect passwords
- passwords match, but if statement fails
- php password checking
- php password, compare, return true or false
- checking the password in php?
- Simple password protection in PHP
- How to make set up condition specific password in php?