11-19-2020, 09:50 PM
Good questions! I learned a long time ago that if someone really wanted to steal user data they are going too, putting steps in place like hashing data prior to it being inserted into the database, creating specific hashes for users that expire after a certain time like you said and even looking at using MFA options to add an extra wall of security. Here are a couple options that you could do:
1. User Hash - you mentioned this and it is a great idea, my software for work has this in place and all data transmitted through the SSL be it on the web-app or iOS app are done so with the hash, which if someone intercepts the data, they are going to have a real hard time trying to identify the information as they would need to know how you are compiling your string and what the information means. For example you could do something like sha1(md5('USERNAME . ' . ' . PASSWORD . ' . ' . DATE')) then using various PHP functions you could break it down using your periods as dividers to pull out information like the date and verifying that it is within the last 24 hours or the user will have to reauthenticate.
2. IP Logging - When a user logs in you can use IPs to make sure that an account is only logged in once, but you can also use this to monitor brute force attacks in conjunction with something Google Authenticator. So your SQL data base would look like id(int10),ipAddress(text),verified(enum('0','1')). When a user logs in, you can capture their IP regardless of if they are using a VPN or not and pass it over to this table. You can also update the user table with a field like lastIP or something and use further checks to see if they have passed the MFA from that IP before and they can bypass the 6-digit code. You could create a script in your back end too to see if there are multiple failed attempts from a single IP allowing you to add that to your blacklist easier.
Once you get comfortable with PHP you can take it's most basic functions and turn it into a powerful tool with a little know how.
1. User Hash - you mentioned this and it is a great idea, my software for work has this in place and all data transmitted through the SSL be it on the web-app or iOS app are done so with the hash, which if someone intercepts the data, they are going to have a real hard time trying to identify the information as they would need to know how you are compiling your string and what the information means. For example you could do something like sha1(md5('USERNAME . ' . ' . PASSWORD . ' . ' . DATE')) then using various PHP functions you could break it down using your periods as dividers to pull out information like the date and verifying that it is within the last 24 hours or the user will have to reauthenticate.
2. IP Logging - When a user logs in you can use IPs to make sure that an account is only logged in once, but you can also use this to monitor brute force attacks in conjunction with something Google Authenticator. So your SQL data base would look like id(int10),ipAddress(text),verified(enum('0','1')). When a user logs in, you can capture their IP regardless of if they are using a VPN or not and pass it over to this table. You can also update the user table with a field like lastIP or something and use further checks to see if they have passed the MFA from that IP before and they can bypass the 6-digit code. You could create a script in your back end too to see if there are multiple failed attempts from a single IP allowing you to add that to your blacklist easier.
Once you get comfortable with PHP you can take it's most basic functions and turn it into a powerful tool with a little know how.