Geek Answers Handbook

Using Zend_Mail_Transport_Smtp with MD5-Hashed as Password

I would like to offer ob users of my web application the ability to send emails using our smtp server.

The password for user accounts is md5-hased, and the smtp server is a hash of the received values ​​to verify that the username and password are correctly identified.

Now I am looking for a good way to configure Zend_Mail_Transport_Smtp. I explicitly need a plaintext password and forward it to the SMTP server, which then converts it to an md5 hash. But this means that I have to store the user's password somewhere in clear text, which I would like to avoid.

Are there any recommendations for setting up a web admin using the zend framework?

The only idea I had was to keep an unmanaged password in the session (the user accounts in my application are connected to the mail server accounts), but there should be a better way to handle this situation.

+4
source share
1 answer

What you can do is to store the password in encoded format in the database and decode it in your application when you need it. Unfortunately, MD5 is just a hash function, and you cannot decode a simple password. I know three ways to do this:

  • Replace letters:

    You can use something like ROT13 to replace letters in your regular password:

    // store this in the database $pw_rot = str_rot13( "plain_password" ); // use this in the application $pw_plain = str_rot13( "cynva_cnffjbeq" );

    I would not recommend using str_rot13() or something like this, because it is easy to guess someone who sees the password.

  • Decode / encode without key:

    Another way is to decode / encode the password using a function that does not need a key, for example Base64 :

     // store this in the database $pw_base64 = base64_encode( "plain_password" ); // use this in the application $pw_plain = base64_encode( "cGxhaW5fcGFzc3dvcmQ=" );

    A little better than the above, but I would use this only for testing, because it is easily implemented and used.

  • Decoding / encoding with the key:

    It is best to use a key and a symmetric block cipher like Blowfish :

     class Password { const KEY = 'your_secret_key_for_the_cipher'; // encode the plain text with key for storing in the database public function encode( $plain_text ) { // set up the environment $td = mcrypt_module_open( MCRYPT_BLOWFISH, '', MCRYPT_MODE_ECB, '' ); $key = substr( self::KEY, 0, mcrypt_enc_get_key_size( $td ) ); $iv_size = mcrypt_enc_get_iv_size( $td ); $iv = mcrypt_create_iv( $iv_size, MCRYPT_RAND ); if( mcrypt_generic_init( $td, $key, $iv ) != -1 ) { $cipher_text = mcrypt_generic( $td, $plain_text ); // clean up the mcrypt enviroment mcrypt_generic_deinit( $td ); mcrypt_module_close( $td ); } // use hex value return bin2hex( $cipher_text ); } // decode the stored cipher text with key to use in the application public function decode( $cipher_text ) { // set up the environment $td = mcrypt_module_open( MCRYPT_BLOWFISH, '', MCRYPT_MODE_ECB, '' ); $key = substr( self::KEY, 0, mcrypt_enc_get_key_size( $td ) ); $iv_size = mcrypt_enc_get_iv_size( $td ); $iv = mcrypt_create_iv( $iv_size, MCRYPT_RAND ); if( mcrypt_generic_init( $td, $key, $iv ) != -1 ) { $plain_text = mdecrypt_generic( $td, pack( "H*" , $cipher_text ) ); // clean up the mcrypt environment mcrypt_generic_deinit( $td ); mcrypt_module_close( $td ); } // remove NUL which maybe added by padding the plain_text return rtrim( $plain_text, "\0" ); }

    Thus, only one who has access to the database and source code can decode the password. On the downside, you have a more complex application and a small impact on performance. You can also use another symmetric block cipher.

And most importantly: Never store simple passwords.

+3
source

More articles:


All Articles