Right, you should really use a 1-way hashing algorithm like SHA1. If the user forget's their password, require them to change it.. which is good practice anyways, since someone else might have found it for them!
The general idea with 1-way hashing algorithms is that you compare the result of hashing 2 strings. If the result is the same, there is a ridiculously small chance that the 2 strings are different. MySQL provides built-in support for SHA1. SHA1(string) http://www.mysql.com/doc/en/Miscellaneous_functions.html Example: SELECT * FROM members WHERE id = 123 AND password =SHA1("$password"); $password is the user's input password. Regards, Erik Osterman http://osterman.com/ -----Original Message----- From: David T-G [mailto:[EMAIL PROTECTED] Sent: Friday, November 07, 2003 9:05 PM To: mysql users Cc: Luis Lebron Subject: Re: Secure way of storing passwords in the database -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Luis, et al -- ...and then Luis Lebron said... % % Any suggestions of a "secure" way of storing membership passwords (for a % website) in a mysql database? Should I use sha, aes, des??? Do you really need to be able to decrypt and get the plaintext password? Why not instead save the encrypted password and then when checking always encrypt what you're given and compare it? Not only is it more secure, it's easier :-) % % thanks, Sure thing. % % Luis R. Lebron % Sigmatech, Inc HTH & HAND :-D - -- David T-G * There is too much animal courage in (play) [EMAIL PROTECTED] * society and not sufficient moral courage. (work) [EMAIL PROTECTED] -- Mary Baker Eddy, "Science and Health" http://justpickone.org/davidtg/ Shpx gur Pbzzhavpngvbaf Qrprapl Npg! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE/rHlvGb7uCXufRwARApWPAKC+UEfw8KCw9nlEpEyr+CL4jye+aACfXUn7 wFFJqHnQRb3ejCoheF3mNuU= =Gefq -----END PGP SIGNATURE----- -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED] -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
