Re: Password encryption
If you want to be able to store information encrypted and then decrypt it
later and you use perl see Crypt::CBC and pick an algorythim. The only
trick is that, with blowfish at least, you need a larger field than the
original. Also you must figure out how to hide the key...
On Wed, 12 Dec 2001, sherzodR wrote:
Date: Wed, 12 Dec 2001 18:42:35 -0600 (CST)
From: sherzodR [EMAIL PROTECTED]
To: ST Ooi [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: Password encryption
When you're insering a new password:
INSERT INTO user SET password=PASSWORD('secret');
But you can't retrieve the original password. If a user forgets/looses
his/her password, just reset a password with something else, and send
him/her that new password
And when you want to check an inputted password agains the encrypted one;
SELECT * FROM user WHERE login=user_id AND
password=PASSWORD(inserted_password);
ST Ooi wrote:
SO: Date: Thu, 13 Dec 2001 07:52:59 +0800
SO: From: ST Ooi [EMAIL PROTECTED]
SO: To: [EMAIL PROTECTED]
SO: Subject: Password encryption
SO:
SO: How can I encrypt password in database and how can I retrieve the
SO: encrypted password?
SO:
SO: Thanks
SO:
SO: ST Ooi
SO: Malaysia
SO:
SO: - Original Message -
SO: From: Dan Nelson [EMAIL PROTECTED]
SO: To: James McLaughlin [EMAIL PROTECTED]
SO: Cc: [EMAIL PROTECTED]
SO: Sent: Thursday, December 13, 2001 7:06 AM
SO: Subject: Re: No Database Encryption
SO:
SO:
SO: In the last episode (Dec 12), James McLaughlin said:
SO: The new programmer for our company is not using the dataType
SO: password or any encryption what so ever for our user accounts
SO: (accounts that our customers use for getting into our system) in our
SO: database.
SO:
SO: Instead he is using the VarChar dataType.
SO:
SO: Can someone explain to me how I can exploit this and show them it is
SO: very dangerous.
SO:
SO: It's only dangerous if a customer can trick your web frontend into
SO: displaying the output of SELECT * FROM USERS, for example. If the
SO: frontend only uses hardcoded queries, or quotes every user-supplied
SO: parameter, there's no problem. In fact, you need the password in
SO: plaintext to support a I forgot my password; email it to me feature.
SO:
SO:
SO: --
SO: Dan Nelson
SO: [EMAIL PROTECTED]
SO:
SO: -
SO: Before posting, please check:
SO: http://www.mysql.com/manual.php (the manual)
SO: http://lists.mysql.com/ (the list archive)
SO:
SO: To request this thread, e-mail [EMAIL PROTECTED]
SO: To unsubscribe, e-mail
SO: [EMAIL PROTECTED]
SO: Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
SO:
SO:
SO:
SO:
SO: -
SO: Before posting, please check:
SO:http://www.mysql.com/manual.php (the manual)
SO:http://lists.mysql.com/ (the list archive)
SO:
SO: To request this thread, e-mail [EMAIL PROTECTED]
SO: To unsubscribe, e-mail
[EMAIL PROTECTED]
SO: Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
SO:
--
Sherzod Ruzmetov [EMAIL PROTECTED]
http://www.UltraCgis.com, Consultant
989.774.6265
++
| There is nothing wrong with your tools.|
| But we can make a better one. |
++
-
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail [EMAIL PROTECTED]
To unsubscribe, e-mail [EMAIL PROTECTED]
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Sincerely,
William Mussatto, Senior Systems Engineer
CyberStrategies, Inc
ph. 909-920-9154 ext. 27
-
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail [EMAIL PROTECTED]
To unsubscribe, e-mail [EMAIL PROTECTED]
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Password encryption
How can I encrypt password in database and how can I retrieve the encrypted password? Thanks ST Ooi Malaysia - Original Message - From: Dan Nelson [EMAIL PROTECTED] To: James McLaughlin [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, December 13, 2001 7:06 AM Subject: Re: No Database Encryption In the last episode (Dec 12), James McLaughlin said: The new programmer for our company is not using the dataType password or any encryption what so ever for our user accounts (accounts that our customers use for getting into our system) in our database. Instead he is using the VarChar dataType. Can someone explain to me how I can exploit this and show them it is very dangerous. It's only dangerous if a customer can trick your web frontend into displaying the output of SELECT * FROM USERS, for example. If the frontend only uses hardcoded queries, or quotes every user-supplied parameter, there's no problem. In fact, you need the password in plaintext to support a I forgot my password; email it to me feature. -- Dan Nelson [EMAIL PROTECTED] - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: Password encryption
you can use the password() mysql function to crypt it. you cannot retrieve the encrypted password -- only compare input (password() the input) against the saved encrypted password. if the resulting text matches, the password is good. if not, the authentication in your application should fail. -tcl. On Thu, 13 Dec 2001, ST Ooi wrote: How can I encrypt password in database and how can I retrieve the encrypted password? Thanks ST Ooi Malaysia - Original Message - From: Dan Nelson [EMAIL PROTECTED] To: James McLaughlin [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, December 13, 2001 7:06 AM Subject: Re: No Database Encryption In the last episode (Dec 12), James McLaughlin said: The new programmer for our company is not using the dataType password or any encryption what so ever for our user accounts (accounts that our customers use for getting into our system) in our database. Instead he is using the VarChar dataType. Can someone explain to me how I can exploit this and show them it is very dangerous. It's only dangerous if a customer can trick your web frontend into displaying the output of SELECT * FROM USERS, for example. If the frontend only uses hardcoded queries, or quotes every user-supplied parameter, there's no problem. In fact, you need the password in plaintext to support a I forgot my password; email it to me feature. -- Dan Nelson [EMAIL PROTECTED] - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: Password encryption
Hello Rolf, I need the decoding option, since I need to have a password lookup function... Hmmm... offcourse, I *COULD* completely rewrite it, and instead of lookup up a password, make it so that you can reset your password if you have verified your email address or something. However, I wonder if rewriting this is worth the effort. I mean, I probably will be busy 3 hours with it, to completely rewrite it, and fully test everything. And that is why I wonder if it's worth it, because I also like the option to decode the passwords of my members, if I have the encryption password... But basically, my question is: how great is the performance penalty caused by DECODE(), or is it low enough to forget about it? Because my system checks the password each page a member visits, and a member usually visits around 500 pages/day. So performance is quite important here ;) Thanks in advance, Leon Mergen [EMAIL PROTECTED] BlazeBox, Inc. ICQ: 55677353 - Original Message - From: Rolf Hopkins [EMAIL PROTECTED] To: Leon Mergen [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Sunday, June 10, 2001 3:43 PM Subject: Re: Password encryption I used the function password() if that helps but of course you can't decode it. - Original Message - From: Leon Mergen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, June 09, 2001 22:44 Subject: Re: Password encryption Anyone has any idea how much this encryption method sucks up server load? _ Leon Mergen [EMAIL PROTECTED] President of Operations BlazeBox, Inc. ICQ: 55677353 - Original Message - From: Joshua J. Kugler [EMAIL PROTECTED] To: Leon Mergen [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, June 08, 2001 9:47 PM Subject: Re: Password encryption Look in the manual about the ENCODE/DECODE functions. j- k- On Friday 08 June 2001 10:28, you wrote: Hello all, I have some questions about password encryption. I want to make some sort of encryption method that disables a human to read the password, but does allow my (php) script to convert the encoded password to a human-readable password, the member originally entered and the member enters in the form (if he or she has the password right) . In other words, I want a string to be encrypted and decrypted, if it's possible in the query. An example: insert into table values (encrypt(secret)); select decrypt(passfield) as pass from table; and here, pass will contain the value of secret. -- Joshua Kugler, Information Services Director Associated Students of the University of Alaska Fairbanks [EMAIL PROTECTED], 907-474-7601 - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: Password encryption
I used the function password() if that helps but of course you can't decode it. - Original Message - From: Leon Mergen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, June 09, 2001 22:44 Subject: Re: Password encryption Anyone has any idea how much this encryption method sucks up server load? _ Leon Mergen [EMAIL PROTECTED] President of Operations BlazeBox, Inc. ICQ: 55677353 - Original Message - From: Joshua J. Kugler [EMAIL PROTECTED] To: Leon Mergen [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, June 08, 2001 9:47 PM Subject: Re: Password encryption Look in the manual about the ENCODE/DECODE functions. j- k- On Friday 08 June 2001 10:28, you wrote: Hello all, I have some questions about password encryption. I want to make some sort of encryption method that disables a human to read the password, but does allow my (php) script to convert the encoded password to a human-readable password, the member originally entered and the member enters in the form (if he or she has the password right) . In other words, I want a string to be encrypted and decrypted, if it's possible in the query. An example: insert into table values (encrypt(secret)); select decrypt(passfield) as pass from table; and here, pass will contain the value of secret. -- Joshua Kugler, Information Services Director Associated Students of the University of Alaska Fairbanks [EMAIL PROTECTED], 907-474-7601 - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: Password encryption
Well, if you're using web pages, I've never thought much of passwords being passed from one page to the next. Too much at risk of being sniffed out each time a page is submitted to the server. I devised a way that creates a random char string which changes each time a user logs on and that gets passed to the next page instead of the password itself. Other than that, I don't think I can be much more help. - Original Message - From: Leon Mergen [EMAIL PROTECTED] To: Rolf Hopkins [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Sunday, June 10, 2001 22:09 Subject: Re: Password encryption Hello Rolf, I need the decoding option, since I need to have a password lookup function... Hmmm... offcourse, I *COULD* completely rewrite it, and instead of lookup up a password, make it so that you can reset your password if you have verified your email address or something. However, I wonder if rewriting this is worth the effort. I mean, I probably will be busy 3 hours with it, to completely rewrite it, and fully test everything. And that is why I wonder if it's worth it, because I also like the option to decode the passwords of my members, if I have the encryption password... But basically, my question is: how great is the performance penalty caused by DECODE(), or is it low enough to forget about it? Because my system checks the password each page a member visits, and a member usually visits around 500 pages/day. So performance is quite important here ;) Thanks in advance, Leon Mergen [EMAIL PROTECTED] BlazeBox, Inc. ICQ: 55677353 - Original Message - From: Rolf Hopkins [EMAIL PROTECTED] To: Leon Mergen [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Sunday, June 10, 2001 3:43 PM Subject: Re: Password encryption I used the function password() if that helps but of course you can't decode it. - Original Message - From: Leon Mergen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, June 09, 2001 22:44 Subject: Re: Password encryption Anyone has any idea how much this encryption method sucks up server load? _ Leon Mergen [EMAIL PROTECTED] President of Operations BlazeBox, Inc. ICQ: 55677353 - Original Message - From: Joshua J. Kugler [EMAIL PROTECTED] To: Leon Mergen [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, June 08, 2001 9:47 PM Subject: Re: Password encryption Look in the manual about the ENCODE/DECODE functions. j- k- On Friday 08 June 2001 10:28, you wrote: Hello all, I have some questions about password encryption. I want to make some sort of encryption method that disables a human to read the password, but does allow my (php) script to convert the encoded password to a human-readable password, the member originally entered and the member enters in the form (if he or she has the password right) . In other words, I want a string to be encrypted and decrypted, if it's possible in the query. An example: insert into table values (encrypt(secret)); select decrypt(passfield) as pass from table; and here, pass will contain the value of secret. -- Joshua Kugler, Information Services Director Associated Students of the University of Alaska Fairbanks [EMAIL PROTECTED], 907-474-7601 - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: Password encryption
Hello Leon, Friday, June 08, 2001, 9:28:05 PM, you wrote: LM Hello all, LM I have some questions about password encryption. I want to make some sort of encryption method that disables a human to read the password, but does allow my (php) script to convert the encoded LM password to a human-readable password, the member originally entered and the member enters in the form (if he or she has the password right) . LM In other words, I want a string to be encrypted and decrypted, if it's possible in the query. LM An example: LM insert into table values (encrypt(secret)); LM select decrypt(passfield) as pass from table; LM and here, pass will contain the value of secret. LM Thanks in advance, LM Leon Mergen LM [EMAIL PROTECTED] LM BlazeBox, Inc. LM ICQ: 55677353 But what for??? -- Best regards, Olexandrmailto:[EMAIL PROTECTED] - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: Password encryption
Anyone has any idea how much this encryption method sucks up server load? _ Leon Mergen [EMAIL PROTECTED] President of Operations BlazeBox, Inc. ICQ: 55677353 - Original Message - From: Joshua J. Kugler [EMAIL PROTECTED] To: Leon Mergen [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, June 08, 2001 9:47 PM Subject: Re: Password encryption Look in the manual about the ENCODE/DECODE functions. j- k- On Friday 08 June 2001 10:28, you wrote: Hello all, I have some questions about password encryption. I want to make some sort of encryption method that disables a human to read the password, but does allow my (php) script to convert the encoded password to a human-readable password, the member originally entered and the member enters in the form (if he or she has the password right) . In other words, I want a string to be encrypted and decrypted, if it's possible in the query. An example: insert into table values (encrypt(secret)); select decrypt(passfield) as pass from table; and here, pass will contain the value of secret. -- Joshua Kugler, Information Services Director Associated Students of the University of Alaska Fairbanks [EMAIL PROTECTED], 907-474-7601 - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Password encryption
Hello all, I have some questions about password encryption. I want to make some sort of encryption method that disables a human to read the password, but does allow my (php) script to convert the encoded password to a human-readable password, the member originally entered and the member enters in the form (if he or she has the password right) . In other words, I want a string to be encrypted and decrypted, if it's possible in the query. An example: insert into table values (encrypt(secret)); select decrypt(passfield) as pass from table; and here, pass will contain the value of secret. Thanks in advance, Leon Mergen [EMAIL PROTECTED] BlazeBox, Inc. ICQ: 55677353
Re: Password encryption
Look in the manual about the ENCODE/DECODE functions. j- k- On Friday 08 June 2001 10:28, you wrote: Hello all, I have some questions about password encryption. I want to make some sort of encryption method that disables a human to read the password, but does allow my (php) script to convert the encoded password to a human-readable password, the member originally entered and the member enters in the form (if he or she has the password right) . In other words, I want a string to be encrypted and decrypted, if it's possible in the query. An example: insert into table values (encrypt(secret)); select decrypt(passfield) as pass from table; and here, pass will contain the value of secret. -- Joshua Kugler, Information Services Director Associated Students of the University of Alaska Fairbanks [EMAIL PROTECTED], 907-474-7601 - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
