Need some ideas for authentication in online apps

herr.jth · 2007-09-05 11:04:13

Hello,
I`am writing a blog software in C. At the moment, posting new stuff works this way: Write a simple text file offline, upload it to a specified folder and let the software do the rest like formatting, adding a "next page"-button if necessary, give the user the ability to highlight one single post, load a stylesheet etc. I think its basically how blosxom handles it.
But at this point it would be nice if the user could say "http://www.foo.bar?newpost", types in his username & password and gets a nice textbox where he can enter his new post without starting his FTP client or editor. Basically, this should be quite easy to implement, but I`am not sure how I can make the login process safe.
I considered the following approaches:

Saving the password into the binary. - Bad idea I think. First you need to do a recompile every time you change your password and someone could simply download and disassemble the binary to get the password.

Using a read-only file to store the password and reject the login if the chmod of this file isn't correct. - Well, I'am not sure if this is a good idea because storing something like a password in plaintext on a ftp doesn`t seem to be very clever.

So I thought about encrypting the password-file. But how can this be done in a good way? If I use some static key, I have the same problem like before, someone could easily retrieve it from the binary (or even the source, if hardcoded there). Let the user provide some generated key sounds quite good, but SSL isn't available every time, so sniffing the key would be possible.

At this point, thank you for reading this quite long text. This is the first time I`am doing stuff like that and it would really suck if someone would be owned because of some insecure, badly designed login-process.
It would be nice if someone has a hint for me that helps me implementing a secure login, ideally user friendly.
After all it must work for Wordpress et cetera somehow

Thanks in advance for tips and hints.

byte · 2007-09-05 11:14:56

Hash functions to the rescue. Ever heard of MD5 or SHA1? No need to save the password in plaintext.

DeliQ · 2007-09-05 11:25:23

Hmm, my little tip would be: store login information in a DB (with the password field md5 hashed) and _before_ the user submits his login credentials, md5 his password with a md5 hash javascript (google: md5.js) so the user doesn't send his password plaintext over the line but the md5 hash of it. I hope it's a little bit clear.

--Ronny

herr.jth · 2007-09-05 12:19:07

byte wrote:

Hash functions to the rescue. Ever heard of MD5 or SHA1? No need to save the password in plaintext.

*ouch*

Yes, that is exactly what I was looking for. Get the password, use some hash-algorithm on it and _after_ that, send it to the server. Easy enough, but somehow I missed that

Thanks, I think this one is solved

Last edited by herr.jth (2007-09-05 12:19:30)

Arch Linux

#1 2007-09-05 11:04:13

Need some ideas for authentication in online apps

#2 2007-09-05 11:14:56

Re: Need some ideas for authentication in online apps

#3 2007-09-05 11:25:23

Re: Need some ideas for authentication in online apps

#4 2007-09-05 12:19:07

Re: Need some ideas for authentication in online apps

Board footer