I once did such authorization in the admin panel. The bottom line is this:
- Create a file like
- Generate a special key using
crypt('string')and save it to a file.
- The same key is written to the database.
Login to the admin panel is as follows:
- Click Browsefind the file on your computer and click send.
- Read the file and compare it with what is written in the database. Everything matches, you are welcome. + (we read the file extension, because you can think of it in any way you like)
- The system will not be transferred or sold.
- The system is used by a limited number of people (say, in the office).
I’m interested in your opinion in terms of security, etc. Of course, we are not talking about banal blogs, but about serious projects.
Answer 1, authority 100%
I understand when people try to increase security using an encrypted protocol. But in this case, I see just an additional hassle for the end user. Consider also the fact that protection in such cases is based on the assertion that the attacker has access to listening to the line. Under these conditions, your defense is nothing more than a stupid maneuver.
Answer 2, authority 33%
The file can be thrown, and the whole idea will collapse… Isn’t it better then to look at the IP address?
And if you are interested in inputs from different computers under the same account, then you can link the input with Vkontakte or Facebook, since it will be convenient and more interesting.
Answer 3, authority 33%
The same shared secret, side view. If a non-standard approach is acceptable and you want a normal solution, use HTTPS and client certificates.
- Some non-standard solution. Protects against keyloggers and typical sniffers that catch POST requests.
- The effective key size is higher than a typical password. Improves quality by protecting against weak passwords. Although, in any case, it is not necessary to protect yourself from brute force.
- The key is issued rather than set, which slightly increases the possibility of its leakage (because the user and the administrator know, and not one user).
- If browsers store passwords in some way protecting them (for example, with a master password), then the file is stored without any protection or even obfuscation. Drag it from the disk and use it.
crypt(3)function in its typical variants (using DES, MD5, or SHA variants) is not recommended for storing hashes. Recommendedbcrypt.
Answer 4, authority 22%
An interesting idea that makes it impossible to brute force from the front-end of the admin panel. Provided, of course, that the file contains binary data, not text.
Answer 5, authority 11%
This method is much more secure than the same login / password. Under the condition that everything is done correctly.
Answer 6, authority 11%
For example, you can make sure that the admin only logs in as a regular user. Those. first logged in as a regular user, then – admin panel. And nothing else.
And it’s all logged. It will be clear at least who is brute forcing 🙂 And then the defense is easier to build.
But also SSL of course.
And with one key, everyone enters.
if I understood your idea correctly