Downloads Password/Logging

exally · April 2nd, 2007, 02:19 AM

Hey guys,

I need to create a page for my website where people have to login in using a username and password that is generic for that week in order to download the files - i also need to log there details like IP etc etc.

Any ideas how i go about this using PHP or Javascript - something like htaccess or something like that?!

Thanks

EXreaction · April 2nd, 2007, 02:44 AM

You could look into the authentication system for phpBB2.

That would probably be the easiest.

Also, make sure you are encrypting the passwords in the database (I would use MD5). Just in case your db server gets taken over the person would not know what everyone's password is (at least not without spending a heck of a lot of time running scripts to "reverse" the MD5).

exally · April 2nd, 2007, 03:25 AM

i dont need individual password - i need a generic one that changes weekly - i was thinking of developing it myself but it will look cheap..

EXreaction · April 2nd, 2007, 04:01 AM

I see...

In that case I would probably restrict access to the site with a .htaccess file and password protect the directory. That would be the easiest.

This might help:
http://www.javascriptkit.com/howto/htaccess3.shtml

Of course you would need to manually update the file with the password every week.

quickoldcar · April 2nd, 2007, 04:08 AM

I have websites and passworded fileserver using this:

http://www.keyfocus.net/kfws/

Easier than abyss ,many options,it works,can do multiple sites and best of all it's completely free.

But then again the others gave great advice,just something thought might want to know.

usslindstrom · April 2nd, 2007, 04:18 AM

If you're using IIS, then just put it as the access password to that portion of the page. Change it as needed. Shouldn't be that bad.

On my WinServ2K3, I just opened up the guest account with EXTREMELY limited permissions on it, and tied that into my IIS browsing for downloading over http. If I need to adjust the password, I can just hit the guest account up. (Just make sure to disable annon. access to the portion you want to lock)

Keymaker · April 2nd, 2007, 04:39 AM

http://www.securitystats.com/tools/hashcrack.php

http://www.antsight.com/zsl/rainbowcrack/

Anyone read Genies? Especially that of Cain.

EXreaction · April 2nd, 2007, 02:00 PM

I actually made a MD5 hash cracker myself once to see how easy it was...

A password up to 5 chars is not safe in MD5, 6 is decent, but the more the better. And you really need to use numbers, letters, or whatever else you can make that is not used very often.

Just looking at my keyboard there are 94 chars (I am not including the hidden ones you can make with mixtures of the CTRL button).

So if your password is 1 char it would only take 94 tries at a maximum to brute force it.
If it was 2, it would take a maximum of 8836 tries to brute force it.
At 3 it would take 830,584 tries at maximum
At 4 it would take 78,074,896 at maximum
At 5 it would take 390,374,480 tries at maximum
Here is the short term limit. I can crack any MD5 with any 1 to 5 standard character (numbers, letters, and symbols) string in about 10 - 15 seconds on a PHP based script.
At 6 it would take 36,695,201,120 tries max
7 would be 3,449,348,905,280 tries max
8 would be 324,238,797,096,320 tries max
etc, etc...

I would say 6 and 7 could be done if you had a much more efficient build and code (I was using PHP, which is not made for that kind of stuff). But it would still take many days to crack a standard character (numbers, letters, and symbols) password at 8 chars.

Keymaker · April 2nd, 2007, 08:26 PM

There are many mathematical ways to scrutinize on particular variables to reduce the time it takes on a brute force method.

I also should mention the idea of a cluster of computers to reduce this time.

Very good idea to make a password at least 16 characters in length with alpha-numeric-symbols-upper and lower case. This is what I use. No character is a repeat.

You mention the CTL key, don't you mean the ALT key? Like ALT 255 for [space] or ALT 159 for ƒ, etc.

Hell, 1337 could work too. p455w0rd.

EXreaction · April 2nd, 2007, 09:57 PM

16 chars is not really needed. If any site you visit stores your password in an unencrypted or easily breakable encryption anyone can view it (you would be amazed how many places store plain text passwords).

Alt, ctrl, whatever it is to make the non-standard US chars.

"1337" wouldn't work, unless they are doing a simple dictionary attack (though with something as lame as a dictionary attack, you could record all the possible combos and save it in a database to find the real answer in a second or less).

I have no doubt that if I could write a brute forcer in assembly that I would get very fast results. But I don't think you can do that to get any MD5 sum.

Also, if the person knows you are not repeating any characters you set yourself up for a major weakness (especially since we now know it is 16 chars long). If I was enthusiastic at all right now I would get some numbers and see the possible number of combinations it would take at maximum to get your password. I don't think it would be very many.

)