Secure way of storing passwords in the database
Any suggestions of a secure way of storing membership passwords (for a website) in a mysql database? Should I use sha, aes, des??? thanks, Luis R. Lebron Sigmatech, Inc
Re: Secure way of storing passwords in the database
Luis Lebron wrote on 07.11.2003 15:22 Any suggestions of a secure way of storing membership passwords (for a website) in a mysql database? Should I use sha, aes, des??? thanks, Hi Luis, try md5 encryption for passwords in your application and write md5-encrypted values to simple varchar/text fields in your db. you can find md5() in the php manual, there are also some examples in the user notes which can also be applied with other encryption methods (as I don't know whether you are using php). Cherio, Henning -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Secure way of storing passwords in the database
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Luis, et al -- ...and then Luis Lebron said... % % Any suggestions of a secure way of storing membership passwords (for a % website) in a mysql database? Should I use sha, aes, des??? Do you really need to be able to decrypt and get the plaintext password? Why not instead save the encrypted password and then when checking always encrypt what you're given and compare it? Not only is it more secure, it's easier :-) % % thanks, Sure thing. % % Luis R. Lebron % Sigmatech, Inc HTH HAND :-D - -- David T-G * There is too much animal courage in (play) [EMAIL PROTECTED] * society and not sufficient moral courage. (work) [EMAIL PROTECTED] -- Mary Baker Eddy, Science and Health http://justpickone.org/davidtg/ Shpx gur Pbzzhavpngvbaf Qrprapl Npg! -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE/rHlvGb7uCXufRwARApWPAKC+UEfw8KCw9nlEpEyr+CL4jye+aACfXUn7 wFFJqHnQRb3ejCoheF3mNuU= =Gefq -END PGP SIGNATURE- -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
RE: Secure way of storing passwords in the database
Right, you should really use a 1-way hashing algorithm like SHA1. If the user forget's their password, require them to change it.. which is good practice anyways, since someone else might have found it for them! The general idea with 1-way hashing algorithms is that you compare the result of hashing 2 strings. If the result is the same, there is a ridiculously small chance that the 2 strings are different. MySQL provides built-in support for SHA1. SHA1(string) http://www.mysql.com/doc/en/Miscellaneous_functions.html Example: SELECT * FROM members WHERE id = 123 AND password =SHA1($password); $password is the user's input password. Regards, Erik Osterman http://osterman.com/ -Original Message- From: David T-G [mailto:[EMAIL PROTECTED] Sent: Friday, November 07, 2003 9:05 PM To: mysql users Cc: Luis Lebron Subject: Re: Secure way of storing passwords in the database -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Luis, et al -- ...and then Luis Lebron said... % % Any suggestions of a secure way of storing membership passwords (for a % website) in a mysql database? Should I use sha, aes, des??? Do you really need to be able to decrypt and get the plaintext password? Why not instead save the encrypted password and then when checking always encrypt what you're given and compare it? Not only is it more secure, it's easier :-) % % thanks, Sure thing. % % Luis R. Lebron % Sigmatech, Inc HTH HAND :-D - -- David T-G * There is too much animal courage in (play) [EMAIL PROTECTED] * society and not sufficient moral courage. (work) [EMAIL PROTECTED] -- Mary Baker Eddy, Science and Health http://justpickone.org/davidtg/ Shpx gur Pbzzhavpngvbaf Qrprapl Npg! -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE/rHlvGb7uCXufRwARApWPAKC+UEfw8KCw9nlEpEyr+CL4jye+aACfXUn7 wFFJqHnQRb3ejCoheF3mNuU= =Gefq -END PGP SIGNATURE- -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED] -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]