Re: Password storage
If you can't access functions directly, you could implement a trigger on that row to intercept the password as it being written and do your MD5 encoding there. - michael On 8/18/07, C K [EMAIL PROTECTED] wrote: Thanks to all, but the problem is that I am using external programs to insert data and I can't use MySQL functions directly. Can I call/implement such type of functions using MS Access 2003? Thanks CPK The md5 function encrypts the input string. - With Warm Regards, Sudheer. S www.binaryvibes.co.in www.lampcomputing.com -- Keep your Environment clean and green. -- - michael dykman - [EMAIL PROTECTED] - All models are wrong. Some models are useful. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Password storage
On 8/18/07, C K [EMAIL PROTECTED] wrote: Friends, I have one question - How to store passwords in MySQL database table in a secure way so that no one can see the password(understand the password string)? It is considered bad security practice to store passwords using reversible encryption. The issue is that users tend to choose the same passwords across different computing systems, as well as personal e-mail and banking accounts. The most common method is to keep a string, known only to the server, that is used to help generate the MD5 or SHA1 hash actually stored. The stored value is then generated using something like: MD5(CONCAT(server_string, user_password, server_string)) In order to be able to mount some kind of an attack other than brute force, an attacker would need to also have the server_string. The disadvantage of using only the user password for the MD5 is that it lends itself to a dictionary attack. So, a bit of randomness thrown in is helpful. http://en.wikipedia.org/wiki/Dictionary_attack As another poster pointed out, the probability of two different passwords having the same hash is remote. Using the SHA1 (160 bits) as an example, and assuming about 64 different characters (6 bits) available for passwords, the SHA1 is about 26 characters of information. Remote. Dave.
Password storage
Friends, I have one question - How to store passwords in MySQL database table in a secure way so that no one can see the password(understand the password string)? Please help Thanks CPK -- Keep your Environment clean and green.
Re: Password storage
Use MD5 function to encrypt the password column C K wrote: Friends, I have one question - How to store passwords in MySQL database table in a secure way so that no one can see the password(understand the password string)? Please help Thanks CPK -- Yoge, AdventNet, Inc. 925-965-6528 [EMAIL PROTECTED] site24x7.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Password storage
C K wrote: Friends, I have one question - How to store passwords in MySQL database table in a secure way so that no one can see the password(understand the password string)? Please help Thanks CPK mysql create table test01 (pass varchar(32)); Query OK, 0 rows affected (0.00 sec) mysql insert into test01 values (md5('textpassword')); Query OK, 1 row affected (0.01 sec) mysql select * from test01; +--+ | pass | +--+ | d1c7e2c37b0bb7d92548ac5594d00315 | +--+ 1 row in set (0.00 sec) The md5 function encrypts the input string. - With Warm Regards, Sudheer. S www.binaryvibes.co.in www.lampcomputing.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Password storage
Thanks to all, but the problem is that I am using external programs to insert data and I can't use MySQL functions directly. Can I call/implement such type of functions using MS Access 2003? Thanks CPK The md5 function encrypts the input string. - With Warm Regards, Sudheer. S www.binaryvibes.co.in www.lampcomputing.com -- Keep your Environment clean and green.
Re: Password storage
On Sat, August 18, 2007 15:53, C K wrote: Thanks to all, but the problem is that I am using external programs to insert data and I can't use MySQL functions directly. Can I call/implement such type of functions using MS Access 2003? MD5() is not an encryption function. The MySQL manual states: QUOTE MD5(str) Calculates an MD5 128-bit checksum for the string. The value is returned as a binary string of 32 hex digits, or NULL if the argument was NULL. The return value can, for example, be used as a hash key. mysql SELECT MD5('testing'); - 'ae2b1fca515949e5d54fb22b8ed95575' This is the “RSA Data Security, Inc. MD5 Message-Digest Algorithm.” /QUOTE You might want to look at ENCODE() and DECODE() functions. Again from the manual: QUOTE DECODE(crypt_str,pass_str) Decrypts the encrypted string crypt_str using pass_str as the password. crypt_str should be a string returned from ENCODE(). ENCODE(str,pass_str) Encrypt str using pass_str as the password. To decrypt the result, use DECODE(). The result is a binary string of the same length as str. The strength of the encryption is based on how good the random generator is. It should suffice for short strings. /QUOTE These are all functions you use in your sql statement, so yes. They can be used in MS Access. -- Later Mogens Melander +45 40 85 71 38 +66 870 133 224 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Password storage
But you can use it for passwords (ask Unix)... You can't decode what the original password was, but you can encode the password they typed in and check the two hashes match - if they do - the chances are that the original passwords match (the odds against are huge!) On Saturday 18 August 2007 16:19, Mogens Melander wrote: MD5() is not an encryption function. The MySQL manual states: -- Mike Aubury Aubit Computing Ltd is registered in England and Wales, Number: 3112827 Registered Address : Murlain Business Centre, Union Street, Chester, CH1 1QP -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Password storage
On Sat, August 18, 2007 20:17, Mike Aubury wrote: But you can use it for passwords (ask Unix)... You can't decode what the original password was, but you can encode the password they typed in and check the two hashes match - if they do - the chances are that the original passwords match (the odds against are huge!) Well, i got the impression that OP wanted to retrieve the cleartext string, but i could be wrong. On Saturday 18 August 2007 16:19, Mogens Melander wrote: MD5() is not an encryption function. The MySQL manual states: -- Later Mogens Melander +45 40 85 71 38 +66 870 133 224 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Password storage
Hi, What are those external programs? If you are using a scripting language like PHP to insert data, you can still use all the MySQL functions in your query statements. I'm not sure how this is related to MS Access 2003. With Warm Regards, Sudheer. S www.binaryvibes.co.in www.lampcomputing.com C K wrote: Thanks to all, but the problem is that I am using external programs to insert data and I can't use MySQL functions directly. Can I call/implement such type of functions using MS Access 2003? Thanks CPK The md5 function encrypts the input string. - With Warm Regards, Sudheer. S www.binaryvibes.co.in www.lampcomputing.com