Posts Tagged ‘passwords’

Recently I registered with the new Virgin Money credit card service. They have just taken over the running of their own credit cards from MBNA so everyone has to re-register on their new system.

I selected a 14-character password containing a mixture of upper and lower case letters, numbers and symbols.

Five minutes later I was changing it to a simple easy-to-remember phrase. Why? Because every time I log in to my account I have to enter a set of certain digits from my password.

The problem is that I have no idea what my password is. It is safely secured away in 1password; I never look it at, I never know what it is. But thanks to Virgin Money’s so called security measures, much like other financial organisations do, I am instead forced to use a far more easily crackable password.

Back to basics today. Creating a user and setting their password.

useradd test
passwd test

If you store passwords as part of a PHP script, you may be using md5() or sha1() to hash the password. This is common practice, but you may be suprised to know that actually, the PHP manual recommends against it.

The reason is that they are both fast but relatively insecure hashing algorithms that can be brute forced by modern computer systems if they get hold of the strings. A better approach is to use the crypt() function, which is a little more expensive in terms of resources, but worth it for the increased difficultly you create for any potential hackers.

This will show you how to make a password page. This should never be used for anything! Ever! It’s purely just to show you how it could be done. But it is literally less lecture than leaving your front door wide open.

In you you put in your password and if it is correct you go the another page. If you are incorrect you go to a wrong password page. Take a look at the script.

<script language="JavaScript">
function passwordOK(anystring) {
anystring = anystring.toUpperCase()

if (anystring == "GREEN" || anystring == "BLUE" || anystring
== "RED" || anystring == "YELLOW") {
/*Add more passwords if you'd like, but ALL PASSWORDS MUST BE IN CAPS!*/
alert('You got it right!')
alert('Now taking you to the hidden page.')
location="page2.htm"
//Change page2.htm to your hidden page
}


else {
alert ("Please enter the CORRECT password next time.")
location="wrongpage.htm"
/*substitute your own wrong page for wrongpage.htm*/
}
}
</script>
<form>
Password:
<input type="password" name="pass" Size="20" onChange="passwordOK(this.value)" />
</form>

As you can see the input box triggers the javascript function ‘passwordOK.’ Below the function name, in the next paragraph and what to do if the password is correct. Below that is the alert if the password is incorrect. Have a play around with the script and see what you can do. The whole thing can be copied in the body tag of your page.