Comments for Tinsology

Comment on Creating a Secure Login System the Right Way by Kim Fox

Kim Fox — Sat, 18 Feb 2012 21:34:20 +0000

Awesome Tutorial!!! You have a great way of explaining things so that people can understand them easily. I’ve been meaning to figure out how to create secure login systems for forever and this article was just what I needed.

Are you on Twitter? I’d love to follow you for future articles and tips!
(and the comment form is cool, too!)

Comment on Creating a Secure Login System the Right Way by Adam

Adam — Wed, 15 Feb 2012 16:25:39 +0000

Thank you Tinsley for publishing this. It’s been difficult to find an easy to read intro to a basic login system. This is great. Best wishes!!

Comment on Creating a Secure Login System the Right Way by Jo

Jo — Sat, 11 Feb 2012 10:59:39 +0000

Thank you for ur reply!

Comment on Creating a Secure Login System the Right Way by Derek

Derek — Sat, 11 Feb 2012 05:48:57 +0000

100% agree I started reading this to better secure my custom made login system.

Comment on Creating a Secure Login System the Right Way by Tinsley

Tinsley — Sat, 11 Feb 2012 05:00:56 +0000

But what happens to the form data (username and password) between client and server?! I mean: unless you don’t use an https connection this data travels in plain text and can be easily sniffed. So my question is: there’s a way to encrypt data BEFORE send’em? (maybe with javascript?!)

The data is sent unencrypted so yes someone listening in could retrieve your raw password. The solution is to use ssl.

If you needed to you could use javascript to encrypt the form data and decrypt it server side. You would need to use some kind of public key encryption (ex RSA). Basically you would use the public key to encrypt all of the form data and then server side you would use the private key to decrypt it. Someone intercepting the request wouldn’t be able to decrypt the form data without the private key. You would also need to use a nonce to prevent replay attacks (which ssl also protects against).

Comment on Creating a Secure Login System the Right Way by Jo

Jo — Fri, 10 Feb 2012 19:44:55 +0000

First of all I wanna thank you for this post.
I find it very usefus and clear, but I’ve a little security related question: hashing the password in the db make it really undiscoverable in any way. This is a real good thing. But what happens to the form data (username and password) between client and server?! I mean: unless you don’t use an https connection this data travels in plain text and can be easily sniffed.
So my question is: there’s a way to encrypt data BEFORE send’em? (maybe with javascript?!)

After my question I want to say to all those who criticize this post that I think these resorces need to be contextualized in your knowledge. If you don’t have the right PHP or programmin’ basis you really don’t understand a word of what you can read here!!! I say this because I’m not a programmer, only an enthusiast with a little PHP and programming basis. Anyway I’ve realized what I’ve read in this post in about 5 minutes… I apologize for my honesty but I think that first of all u’ve to say “Thank’s for sharing!” and then you can give your constructive contribution.
Cheers!!!

Comment on Creating a Secure Login System the Right Way by Jagedman

Jagedman — Fri, 10 Feb 2012 19:25:24 +0000

I thoroughly disagree with, Steve. If you read the entire post, it explains everything. You will never be a good coder by downloading scripts and copying and pasting. Do the work!

Comment on Creating a Secure Login System the Right Way by Tinsley

Tinsley — Fri, 10 Feb 2012 17:06:26 +0000

Depending on your implementation all of the user management code could be in a single file or spread out across several. Having me throw together several distinct file arbitrarily isn’t as helpful to someone integrating user management into their application as understanding the concepts is. I may not be doing the work for you, but that’s probably a good thing considering I can’t possibly know anything about the design of the rest of your application.

Comment on Creating a Secure Login System the Right Way by Tinsley

Tinsley — Fri, 10 Feb 2012 16:56:19 +0000

The goal isn’t to teach you PHP. The zip file isn’t happening. Stingy coders is one way of looking at it; another is lazy readers.

Comment on Creating a Secure Login System the Right Way by Steve

Steve — Fri, 10 Feb 2012 14:05:53 +0000

I slightly disagree with John, but massively disagree with the both of you. This is terrible ‘help’.

You could have at least added ‘xxxx.php’ above each section to silently tell people which files they should be editing.

Comment on Creating a Secure Login System the Right Way by Steve

Steve — Fri, 10 Feb 2012 14:02:22 +0000

This would be a great tutorial if it were more complete, but for someone new into PHP, it’s absolutely useless. It’s like bits of code splashed around on a page, no direction nor bearing. I think people would appreciate a direct link to a ZIP instead of this. Stingey coders…

Comment on Creating a Secure Login System the Right Way by Chris

Chris — Sun, 05 Feb 2012 10:13:23 +0000

A great starting point. Thanks a bunch!

Comment on Creating a Secure Login System the Right Way by Ollie

Ollie — Sun, 05 Feb 2012 05:17:37 +0000

This evening I’ve been researching secure login and registration practices and this one is exactly what I’ve been looking for — great well written article. Thanks

Comment on Do We Need Longer Passwords? by April

April — Sun, 29 Jan 2012 15:29:32 +0000

Thank you very much… I have been programming in PHP/MySQL for about 6 years and while I understood what “To Do” and “Not To Do”, I can honestly say I didn’t get the hashing until I read this article and a similar article you wrote. Very helpful.

Comment on Creating a Secure Login System the Right Way by qamar

qamar — Sat, 28 Jan 2012 15:31:49 +0000

Nice tutorial, You have a great way of making things simple.
cheers