a Safe Admin Area

Are you talking about an admin area in Wordpress, or are you making your own admin area?

making one for myself...

and FYI : I have the admin area... all I want is those protection things...

What have you tried so far for passwords?

actually nothing!

You want to store the passwords encrypted using something like MD5 encrypted. (I think most people are using MD5 these days.) This will encrypt the passwords in a way that no one will be able to decrypt them, so they'll be safe even if someone steals a backup copy of your database.

When someone logs in, you encrypt what they enter using the same encryption and check if it matches what you have in the database. (You don't know their actual password, but you know what it looks like encrypted.)

When they successfully log in, you send a cookie back down to their browser. On subsequent requests, you look to see if the browser sends a valid cookie along with the request. I'd recommend using SSL with the login screen and with any pages that require a password. Be sure to set the cookie to a secure cookie so that no one could intercept the cookie in a request (over public Wi-Fi or something) and hack their account.

The code at the top of each protected page would look for the cookie and, if its present, display the page ... and if not, it would redirect to the login page.

Does that help?

Yes, definitely...

• is md5 reliable [that 2009 thing]? isn't it better to combine 2 or 3 methods ? will it use a lot of CPU & RAM ?

• I have no place to start learning those cookie & Session stuff... any first point to start (video, book, online article, ...)?

is this the one? W3School

I'm certainly no expert in cryptography! :~) Encrypting passwords definitely requires CPU and RAM, but I don't know enough to comment on which ones use too much.

I don't know a good tutorial on cookies in the context of authentication. A lot of people have requested this, so it's something I'm considering putting together myself.

ok thanks

It's time to crack Wordpress :D

I'm currently studying security at school, so there's just a couple of things I want to point out.

First, using a CMS like Wordpress or Drupal is awesome. You cannot beat the work of hundreds of security experts and programmers.

Second, all passwords in a database should be not stored plain text, but should not be encrypted, but rather hashed. So something like SHA or MD5 will work. I just want to make it clear that those are hashing algorithms and not encryption algorithms.

Lastly, when dealing with stuff on your server, be sure to use SFTP.

Thanks for clarifying my lazy use of the term "encrypting" instead of "hashing"! If something is encrypted, it can be decrypted. That's not what you want to do with passwords. You want to hash them, which means convert them into a format that cannot be un-hashed. You won't know the user's real password, just the hash. But when the user logs in, you can hash what they entered and see if the hashes are the same.

(Is that all stated clearly and correctly?)

Perfect!

thank you both guys...

I just sign-up for Cryptography class at Coursera.org

+ I know 1 person vs a bunch of expert guys is not a good idea and it's better to work based on their works... but there are 2 reasons for my job... after making version 1.0.0, make it public and find some non-expert guys like myself and make it a tool for everybody who wants to make a gallery... who know? maybe 5 years from now it became like wordpress :D

and the second one is that since I was 10 years old, I had a notebook which I filled with my ideas around everything...

the notebook filled after two month and right know have around 25000 different ideas around everything... graphic, sites, technology, physics(what I'm learning at university) and the list goes on... there are billion dollar ideas in it and all i'm doing is adding stuff to it...

It's time to make them real!

;)

thanks for your help

but I'm still like a confused chicken! :D

where to start... ?

This isn't an easy topic. :~)

If you really want to learn how to do all of this, it will be slow process with lots of learning. If you want to build a website with a couple of password-protected pages next week, you would be definitely be better off using something that already exists like WordPress or Drupal.

I used this : http://www.php-login.net/

Just to clarify Randy Hoyt's earlier statment.

You want to hash them, which means convert them into a format that cannot be un-hashed.

The technique of hashing is a generic programming technique in which there is a transformation of a string of characters into a usually shorter fixed-length value

Where passwords are concerned they are hashed we use algorithms that perform a specific kind of hashing known as a one-way function this makes very hard for someone to get the original password (know as the plain text) from the new hashed text (known as the cipher text).

http://alias.io/2010/01/store-passwords-safely-with-php-and-mysql/

it says for every user use a different "salt" ...

Mohammad Hossein Mojtahedi -

it says for every user use a different "salt" ...

Is that a question?

not anymore!