http://simonwillison.net/2003-02-08T23:53:25+00:00Simon Willison2003-02-08T23:53:25+00:002003-02-08T23:53:25+00:00https://simonwillison.net/2003/Feb/8/hashingClientsideData/#atom-tag

<p>Via <a href="http://radio.weblogs.com/0103807/2003/02/08.html#a1323" title="PHP and OWASP Security">Scott</a>, a clever <acronym title="PHP: Hypertext Preprocessor">PHP</acronym> technique for ensuring data sent to the browser as a cookie or hidden form variable isn't tampered with by the user:</p> <blockquote cite="http://www.sklar.com/page/article/owasp-top-ten"><p> If you're expecting to receive data in a cookie or a hidden form field that you've previously sent to a client, make sure it hasn't been tampered with by sending a hash of the data and a secret word along with the data. Put the hash in a hidden form field (or in the cookie) along with the data. When you receive the data and the hash, re-hash the data and make sure the new hash matches the old one. </p></blockquote> <p>A further explanation and example code can be found in <a href="http://www.sklar.com/page/article/owasp-top-ten">PHP and the OWASP Top Ten Security Vulnerabilities</a>, a handy article describing how <acronym title="PHP: Hypertext Preprocessor">PHP</acronym> coders can combat the top ten web application security problems highlighted by a recent report from <a href="http://www.owasp.org/">OWASP</a>. Incidentally, <acronym title="The Open Web Application Security Project">OWASP</acronym> still haven't fixed the cross site scripting vulnerability <a href="http://www.owasp.org/%3Cscript%3Ealert(%22boo%22)%3C/script%3E">on their own site</a>, discovered by <a href="http://tom.me.uk/blog/">Tom Gilder</a> several weeks ago.</p> <p>Incidentally, while the hashing method is clever and should be nice and secure I personally advocate not sending the user <em>any</em> information unless absolutely necessary - use sessions and store sensitive data on the server instead. I suppose you could always use the hash to add an extra layer of security to the session identifier though.</p> <p>Tags: <a href="https://simonwillison.net/tags/hashing">hashing</a>, <a href="https://simonwillison.net/tags/owasp">owasp</a>, <a href="https://simonwillison.net/tags/php">php</a>, <a href="https://simonwillison.net/tags/scott-johnson">scott-johnson</a>, <a href="https://simonwillison.net/tags/security">security</a></p>

2002-12-05T02:23:47+00:002002-12-05T02:23:47+00:00https://simonwillison.net/2002/Dec/5/rememberingPasswords/#atom-tag

<p>Via <a href="http://radio.weblogs.com/0103807/2002/12/04.html#a1019" title="One of the Most Useful Articles in a Long Time: How To Remember Your Passwords">Scott</a>, an <a href="http://howto.looselycoupled.com/blog/2002_10_27_dy.htm#85623755" title="How to remember all your passwords">article</a> with some great tips on remembering your passwords. It includes the following vitally important tip:</p> <blockquote cite="http://howto.looselycoupled.com/blog/2002_10_27_dy.htm#85623755"><p> You may trust the provider you're signing up with, but are you confident no-one will hack into their database? If in doubt, err on the side of caution - be safe, not sorry. </p></blockquote> <p>A few years back I nearly learnt this one the hard way. An online gaming forum I had signed up for was cracked, and the password file started making its way around the less scrupulous members of the UK gaming community. The first I heard of this was when someone used my username and password form that forum to log in to my account on a different forum and post some messages. The bad news was that I had administrator access on the different forum, which at that time had over 20,000 active members and nearly 2 million posts.</p> <p>Luckily the prankster in question didn't cause any damage and contacted me to warn me to change my password, but it gave me (and the other administrators of the forum) a pretty big scare.</p> <p>Ever since then, I have maintained a minimum of 3 passwords. I have a low security username/password for unimportant accounts, a medium level one for sites that I trust to a greater extent than the low security ones and a number of high security passwords used for e-commerce sites and important admin level accounts. I should probably start spreading myself even thinner.</p> <p>Tags: <a href="https://simonwillison.net/tags/passwords">passwords</a>, <a href="https://simonwillison.net/tags/scott-johnson">scott-johnson</a>, <a href="https://simonwillison.net/tags/security">security</a></p>