So yeah guys,
You probably noticed that due to the recent hacking stuff I started making an SMF mod to drastically improve login security.
Well, how it goes with security it is best if it is discussed by multiple people, thus me making this thread (even though I believe my concepts to be secure currently, it's best to check back with others).
The current code can be found here:
https://github.com/Sorunome/SMF-bcryptThe concepts are:
Storing passwordsUsing PHP's
password_hash with PASSWORD_DEFAULT to hash+salt the passwords, storing the result in the DB.
I chose this way as it currently uses bcrypt with the perspective to the future to automatically upgrade to a stronger alg without the need to change any code
Transmitting passwords to serverEven though this should be fairly simple as we use https, it's still a good idea to add some extra security to that, especially since I plan to release this mod to normal SMF people who may not have https.
For that, as soon as the user hits login, there will be an AJAX request to fetch an RSA public key which was created in that instant and will only be valid for one min. The client will encrypt the password using that RSA public key, the server will then decrypt using the stored private key. Again, these temporary keys are only valid for one minute and can only be used once, they will be deleted right after being used.
Login cookiesFor this I generate a random string (16 bytes) which gets hashed with password_hash using the PASSWORD_DEFAULT method. The actual random string will be set as cookie, the hash reaches the database. So each page load I check against that.
In addition each hash/pwd goes along with an index so that multiple sessions are possible.
So, any thoughts?
