One of our main goals is to make RecordPress secure! Prevent hacker attacks and so on! We can’t guarantee the security and you use RecordPress at your own risk! Please read the license!
RecordPress uses PDO (prepared statements) witch is one of the latest additions in PHP. By using PDO we prepare SQL-calls from and to the database! While using PDO we don’t need to spam the code with the old mysql_real_escape_string()! Since RecordPress is always on the move, so are the security!
We are aware of that not all web hosts supports PDO at this stage, and some web hosts have not yet upgraded from PHP4 to PHP5! One of the reasons why not all web hosts upgrades from PHP4 to PHP5 is that PHP5 is not very backward compatible! While we are working with PHP5, PHP6 is on it’s way…
How do we store passwords? First of all we HASH passwords using sha1. You can see HASH as an “encryption” technique! With every password we store a unique salt value. To better understand what we are talking about, we will give you some examples:
Let’s say we a database with 5000+ users. Let’s say that 100 users have the exact same password. Let’s say we only encrypt passwords with SHA1 and these 100 users have “test” as password. This password have the encryption value “a6Hj4K2L5” as an example! Mr hacker found a way into the database and sees that 100 users have the same passwords (the password fields is filled with “a6Hj4K2L5”). Think about it! Now the hacker only needs to decrypt one of these passwords, and when he does… Yepp, he can control 100 user accounts!
What we can do is to have a unique salt value with every password! This means that if your password is “test” we can have a salt value like “458910”. This means that passwords will be stored “passwordsalt”. So in our securer case, password “test” will be displayed like “fhk56las234” for one user and the next user “d2053jkas2or”. As you can see users have the exact same passwords but since we add a unique salt value to our password Mr hacker must decrypt every password separately, and we prevent Mr hacker to use so-called rainbow tables!
If you view your RecordPress database with a tool like phpMyAdmin you can see that the salt values is not secret! And yes, they don’t need to be secret! Using salt values will only make the users own password harder to decrypt for Mr hacker!
We have tested to decrypt RecordPress passwords with a program like Abel&Cain. This program needed SEVERAL years to decrypt a password! During this time the user have probably changed his/her password anyway! And… A program like Able&Cain can only assume a password!
Mr hacker!? What about Mrs hacker!? They are all the same, with the same goal…