RE: [PHP-DB] Email Encryption?
ok, here's an idea: Either use a script off the web, or write your own: During the initial SSL session setup: - send an e-mail to the client with a web page attached. (include instructions in the e-mail) Put javascript into the page to decrypt RC5 (apparently you can get a patch for MySQL to enable RC5 functionality) - During the session put the client's key encrypted login details into a text file have them save it to their hard disk - When the client wishes to view their login information, instruct the client to: - open the web page atached to the e-mail - use a form in the web page to browse for the text file they saved to their hard disk - use the RC5 decryption script embedded in the web page to decrypt the client login info or something like that... cheers, Gav -Original Message- From: Aaron Wolski [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 20 November 2002 1:01 AM To: 'Jeremy Wilson'; 'Jason Vincent'; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Hi All, I want to thank everyone for their suggestion. A short term solution we're simply going to remove the username from the email. This way if a hacker does obtain the email they don't have the complete details to gain access to the users account. I would like to know more about the code supplied below though. How does this work? As long as they HAVE a string that gets compared in the DB then what good is this? They can still gain access to the users account. Thanks again. Aaron -Original Message- From: Jeremy Wilson [mailto:[EMAIL PROTECTED]] Sent: November 16, 2002 1:08 PM To: 'Aaron Wolski'; 'Jason Vincent'; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? $encrypted_string = md5(base64_encode($var.'secret key')); Pass the user name or password to $var and place text in to replace the words 'secret key'. -Original Message- From: Aaron Wolski [mailto:[EMAIL PROTECTED]] Sent: Friday, November 15, 2002 8:45 AM To: 'Jason Vincent'; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Well. Its not what they want.. it what one of their clients want (very big corporation with very unrealistic security standards - you'd think they were NASA or something *grumble*) Their thought is that someone could hack the received email, login to the store using the publically displayed logins details and reek havoc on the store, etc. *shrugs* Sadly this isn't open for debate as a solutions IS required. Any thoughts? Aaron -Original Message- From: Jason Vincent [mailto:[EMAIL PROTECTED]] Sent: November 15, 2002 11:42 AM To: Aaron Wolski; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Why email? If the Admin tool uses SSL, that is all you need. Regards, J -Original Message- From: Aaron Wolski [mailto:[EMAIL PROTECTED]] Sent: Friday, November 15, 2002 11:39 AM To: 'Aaron Wolski'; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Just thinking here.. PGP is not an option as it would mean EACH user being setup would need the company's public key to decrypt. Not possible as they setup a few hundred accounts each month. Hmm.. anything else? Argh :( Aaron -Original Message- From: Aaron Wolski [mailto:[EMAIL PROTECTED]] Sent: November 15, 2002 11:36 AM To: [EMAIL PROTECTED] Subject: [PHP-DB] Email Encryption? OFFTOPIC Sorry for the off topic guys.. But I've just been informed that an application we developed for a client whereby they use an Admin tool to setup user accounts into their store needs to have the login (username and password) encrypted. I am thinking PGP for this but to be honest I've never really worked with PGP and wouldn't have the first clue. Does anyone have any experience with this or can offer and advise at all? Again, sorry for the OT discussion. Aaron -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php This e-mail and any attachments are intended solely for the named addressee, are confidential and may contain legally privileged information. The copying or distribution of them or of any information they contain, by anyone other than the addressee, is prohibited. If you received this e-mail in error, please notify us immediately by return e-mail or telephone +61 2 9413 2944 and destroy the original message. Thank you. As Email is subject to viruses we advise that all Emails and any attachments should be scanned by an up to-date Anti Virus programme automatically by your system. It is the responsibility of the recipient to ensure that all Emails and any attachments are cleared of Viruses before opening. KSG can not accept any responsibility for viruses that maybe contained here in. Please advise KSG by return Email if you believe
RE: [PHP-DB] Email Encryption?
Hi All, I want to thank everyone for their suggestion. A short term solution we're simply going to remove the username from the email. This way if a hacker does obtain the email they don't have the complete details to gain access to the users account. I would like to know more about the code supplied below though. How does this work? As long as they HAVE a string that gets compared in the DB then what good is this? They can still gain access to the users account. Thanks again. Aaron -Original Message- From: Jeremy Wilson [mailto:[EMAIL PROTECTED]] Sent: November 16, 2002 1:08 PM To: 'Aaron Wolski'; 'Jason Vincent'; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? $encrypted_string = md5(base64_encode($var.'secret key')); Pass the user name or password to $var and place text in to replace the words 'secret key'. -Original Message- From: Aaron Wolski [mailto:[EMAIL PROTECTED]] Sent: Friday, November 15, 2002 8:45 AM To: 'Jason Vincent'; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Well. Its not what they want.. it what one of their clients want (very big corporation with very unrealistic security standards - you'd think they were NASA or something *grumble*) Their thought is that someone could hack the received email, login to the store using the publically displayed logins details and reek havoc on the store, etc. *shrugs* Sadly this isn't open for debate as a solutions IS required. Any thoughts? Aaron -Original Message- From: Jason Vincent [mailto:[EMAIL PROTECTED]] Sent: November 15, 2002 11:42 AM To: Aaron Wolski; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Why email? If the Admin tool uses SSL, that is all you need. Regards, J -Original Message- From: Aaron Wolski [mailto:[EMAIL PROTECTED]] Sent: Friday, November 15, 2002 11:39 AM To: 'Aaron Wolski'; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Just thinking here.. PGP is not an option as it would mean EACH user being setup would need the company's public key to decrypt. Not possible as they setup a few hundred accounts each month. Hmm.. anything else? Argh :( Aaron -Original Message- From: Aaron Wolski [mailto:[EMAIL PROTECTED]] Sent: November 15, 2002 11:36 AM To: [EMAIL PROTECTED] Subject: [PHP-DB] Email Encryption? OFFTOPIC Sorry for the off topic guys.. But I've just been informed that an application we developed for a client whereby they use an Admin tool to setup user accounts into their store needs to have the login (username and password) encrypted. I am thinking PGP for this but to be honest I've never really worked with PGP and wouldn't have the first clue. Does anyone have any experience with this or can offer and advise at all? Again, sorry for the OT discussion. Aaron -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Email Encryption?
$encrypted_string = md5(base64_encode($var.'secret key')); Pass the user name or password to $var and place text in to replace the words 'secret key'. -Original Message- From: Aaron Wolski [mailto:[EMAIL PROTECTED]] Sent: Friday, November 15, 2002 8:45 AM To: 'Jason Vincent'; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Well. Its not what they want.. it what one of their clients want (very big corporation with very unrealistic security standards - you'd think they were NASA or something *grumble*) Their thought is that someone could hack the received email, login to the store using the publically displayed logins details and reek havoc on the store, etc. *shrugs* Sadly this isn't open for debate as a solutions IS required. Any thoughts? Aaron -Original Message- From: Jason Vincent [mailto:[EMAIL PROTECTED]] Sent: November 15, 2002 11:42 AM To: Aaron Wolski; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Why email? If the Admin tool uses SSL, that is all you need. Regards, J -Original Message- From: Aaron Wolski [mailto:[EMAIL PROTECTED]] Sent: Friday, November 15, 2002 11:39 AM To: 'Aaron Wolski'; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Just thinking here.. PGP is not an option as it would mean EACH user being setup would need the company's public key to decrypt. Not possible as they setup a few hundred accounts each month. Hmm.. anything else? Argh :( Aaron -Original Message- From: Aaron Wolski [mailto:[EMAIL PROTECTED]] Sent: November 15, 2002 11:36 AM To: [EMAIL PROTECTED] Subject: [PHP-DB] Email Encryption? OFFTOPIC Sorry for the off topic guys.. But I've just been informed that an application we developed for a client whereby they use an Admin tool to setup user accounts into their store needs to have the login (username and password) encrypted. I am thinking PGP for this but to be honest I've never really worked with PGP and wouldn't have the first clue. Does anyone have any experience with this or can offer and advise at all? Again, sorry for the OT discussion. Aaron -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Email Encryption?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ookey, (i think Richard Hutchins' idea is a good one, and secure enough that most sites use this method... but if you want an alternative...) now i am a newby to security and PHP, but here's my logic: 1. During the account setup (presuming this is on-line?) they put in their username, password, e-mail address other details over a 'secure' 128 bit SSL session. 2. During this secure SSL session, you could generate a key pair (be it from your own code or a script you found on the web... or PGP? maybe you could e-mail PGP ask them if it is possible to create dynamic key pairs through scripting...). 3. a) Store both key pairs securely in your database using MD5 3. b) Provide the Client's key as a file for them to save to their HD during the SSL session (Remember, you are only as secure as your weakest link - if their system is weak, yours will also be weak) 4. E-Mail them a link (instead of their details) that they can click on to retrieve their details When they click on the link have it start up an SSL session, allow them to put in their username and provide a browse button to select the key pair file they saved to their HD. 5. Compare the contents of the file to the key pair in the database associated with the username, if it checks out ok, return the client's details (over the SSL connection). Gav - -Original Message- From: Peter Beckman [mailto:[EMAIL PROTECTED]] Sent: Saturday, 16 November 2002 7:12 AM To: Aaron Wolski Cc: 'Jason Vincent'; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? At the time of the account setup, you'll have the unencrypted and encrypted password. Send the email before it gets encrypted. Still, this is a little silly, since the email is unencrypted. I guess you could base64 encode the email, but that'd take an extra step. Oooh, what about this? Send an email that takes you to an https: page that only can be viewed by entering a valid code sent in another email? This https page, given the right code, will give you your username and password? The two separate emails provides a bit of obscurity, and the password is always encrypted. On the server side, if these accounts would only be accessed from certain IP blocks, you can block other requests. Peter On Fri, 15 Nov 2002, Aaron Wolski wrote: My client is the one doing the setup of accounts. How would the account holder know of his password before it got encrypted? Hense the email. Aaron -Original Message- From: Peter Beckman [mailto:[EMAIL PROTECTED]] Sent: November 15, 2002 12:35 PM To: Aaron Wolski Cc: 'Jason Vincent'; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Why not encrypt the password in the DB? If they lose their password, it cannot be sent to them. They chose it, so it doesn't need to be sent to them in their email. If they lose it, it is changed, and they have to change it again. That way, only if they are stupid do they have an extra step. The passwords in the DB are encrypted, so only if someone gets a hold of the DB can the passwords be cracked by brute force. md5 would work fine for this. It is the same security that FreeBSD uses in their password file. Peter On Fri, 15 Nov 2002, Aaron Wolski wrote: Well. Its not what they want.. it what one of their clients want (very big corporation with very unrealistic security standards - you'd think they were NASA or something *grumble*) Their thought is that someone could hack the received email, login to the store using the publically displayed logins details and reek havoc on the store, etc. *shrugs* Sadly this isn't open for debate as a solutions IS required. Any thoughts? Aaron -Original Message- From: Jason Vincent [mailto:[EMAIL PROTECTED]] Sent: November 15, 2002 11:42 AM To: Aaron Wolski; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Why email? If the Admin tool uses SSL, that is all you need. Regards, J -Original Message- From: Aaron Wolski [mailto:[EMAIL PROTECTED]] Sent: Friday, November 15, 2002 11:39 AM To: 'Aaron Wolski'; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Just thinking here.. PGP is not an option as it would mean EACH user being setup would need the company's public key to decrypt. Not possible as they setup a few hundred accounts each month. Hmm.. anything else? Argh :( Aaron -Original Message- From: Aaron Wolski [mailto:[EMAIL PROTECTED]] Sent: November 15, 2002 11:36 AM To: [EMAIL PROTECTED] Subject: [PHP-DB] Email Encryption? OFFTOPIC Sorry for the off topic guys.. But I've just been informed that an application we developed for a client whereby they use an Admin tool to setup user accounts into their store needs to have the login (username and password) encrypted. I am thinking PGP for this but to be honest I've
RE: [PHP-DB] Email Encryption?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Check out this link: http://www.pgpi.org/dev/ It is not exactly PHP material, but maybe if you wanted to contact them ask them about supporting PHP you might get a response (i'd be interested if you get a responce, as i think having that functionality in PHP would be useful). Also, here are some mail lists news groups: http://www.pgpi.org/products/pgp/support/ Gav -BEGIN PGP SIGNATURE- Version: PGP 7.0.4 iQA/AwUBPdhNjJX+fmrkFTroEQKrbQCg6Rj6S2xrRzbZuLchfQ5/FqkjwvkAn30B aAPHNEreUBHF5VQugdMGacE3 =qRHI -END PGP SIGNATURE- This e-mail and any attachments are intended solely for the named addressee, are confidential and may contain legally privileged information. The copying or distribution of them or of any information they contain, by anyone other than the addressee, is prohibited. If you received this e-mail in error, please notify us immediately by return e-mail or telephone +61 2 9413 2944 and destroy the original message. Thank you. As Email is subject to viruses we advise that all Emails and any attachments should be scanned by an up to-date Anti Virus programme automatically by your system. It is the responsibility of the recipient to ensure that all Emails and any attachments are cleared of Viruses before opening. KSG can not accept any responsibility for viruses that maybe contained here in. Please advise KSG by return Email if you believe any Email sent by our system may contain a virus. It should be noted that most Anti Virus programmes can not scan encrypted file attachments (example - documents saved with a password). Thus extra care should be taken when opening these files. Liability limited by the Accountants Scheme, approved under the Professional Standards Act 1994 (NSW). Level 4 54 Neridah StreetPO Box 1290 CHATSWOOD NSW 2067 CHATSWOOD NSW 2057 Ph: +61 2 9413 2944 Fax: +61 2 9413 9901 -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Email Encryption?
OFFTOPIC Sorry for the off topic guys.. But I've just been informed that an application we developed for a client whereby they use an Admin tool to setup user accounts into their store needs to have the login (username and password) encrypted. I am thinking PGP for this but to be honest I've never really worked with PGP and wouldn't have the first clue. Does anyone have any experience with this or can offer and advise at all? Again, sorry for the OT discussion. Aaron
RE: [PHP-DB] Email Encryption?
Just thinking here.. PGP is not an option as it would mean EACH user being setup would need the company's public key to decrypt. Not possible as they setup a few hundred accounts each month. Hmm.. anything else? Argh :( Aaron -Original Message- From: Aaron Wolski [mailto:aaronjw;martekbiz.com] Sent: November 15, 2002 11:36 AM To: [EMAIL PROTECTED] Subject: [PHP-DB] Email Encryption? OFFTOPIC Sorry for the off topic guys.. But I've just been informed that an application we developed for a client whereby they use an Admin tool to setup user accounts into their store needs to have the login (username and password) encrypted. I am thinking PGP for this but to be honest I've never really worked with PGP and wouldn't have the first clue. Does anyone have any experience with this or can offer and advise at all? Again, sorry for the OT discussion. Aaron -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Email Encryption?
Why email? If the Admin tool uses SSL, that is all you need. Regards, J -Original Message- From: Aaron Wolski [mailto:aaronjw;martekbiz.com] Sent: Friday, November 15, 2002 11:39 AM To: 'Aaron Wolski'; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Just thinking here.. PGP is not an option as it would mean EACH user being setup would need the company's public key to decrypt. Not possible as they setup a few hundred accounts each month. Hmm.. anything else? Argh :( Aaron -Original Message- From: Aaron Wolski [mailto:aaronjw;martekbiz.com] Sent: November 15, 2002 11:36 AM To: [EMAIL PROTECTED] Subject: [PHP-DB] Email Encryption? OFFTOPIC Sorry for the off topic guys.. But I've just been informed that an application we developed for a client whereby they use an Admin tool to setup user accounts into their store needs to have the login (username and password) encrypted. I am thinking PGP for this but to be honest I've never really worked with PGP and wouldn't have the first clue. Does anyone have any experience with this or can offer and advise at all? Again, sorry for the OT discussion. Aaron -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Email Encryption?
Can you explain how e-mail fits into the Admin solution? What is the e-mail used for? Setting up the accounts/passwords or sending the account/password to the user? -Original Message- From: Aaron Wolski [mailto:aaronjw;martekbiz.com] Sent: Friday, November 15, 2002 11:39 AM To: 'Aaron Wolski'; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Just thinking here.. PGP is not an option as it would mean EACH user being setup would need the company's public key to decrypt. Not possible as they setup a few hundred accounts each month. Hmm.. anything else? Argh :( Aaron -Original Message- From: Aaron Wolski [mailto:aaronjw;martekbiz.com] Sent: November 15, 2002 11:36 AM To: [EMAIL PROTECTED] Subject: [PHP-DB] Email Encryption? OFFTOPIC Sorry for the off topic guys.. But I've just been informed that an application we developed for a client whereby they use an Admin tool to setup user accounts into their store needs to have the login (username and password) encrypted. I am thinking PGP for this but to be honest I've never really worked with PGP and wouldn't have the first clue. Does anyone have any experience with this or can offer and advise at all? Again, sorry for the OT discussion. Aaron -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Email Encryption?
Well. Its not what they want.. it what one of their clients want (very big corporation with very unrealistic security standards - you'd think they were NASA or something *grumble*) Their thought is that someone could hack the received email, login to the store using the publically displayed logins details and reek havoc on the store, etc. *shrugs* Sadly this isn't open for debate as a solutions IS required. Any thoughts? Aaron -Original Message- From: Jason Vincent [mailto:jayv;nortelnetworks.com] Sent: November 15, 2002 11:42 AM To: Aaron Wolski; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Why email? If the Admin tool uses SSL, that is all you need. Regards, J -Original Message- From: Aaron Wolski [mailto:aaronjw;martekbiz.com] Sent: Friday, November 15, 2002 11:39 AM To: 'Aaron Wolski'; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Just thinking here.. PGP is not an option as it would mean EACH user being setup would need the company's public key to decrypt. Not possible as they setup a few hundred accounts each month. Hmm.. anything else? Argh :( Aaron -Original Message- From: Aaron Wolski [mailto:aaronjw;martekbiz.com] Sent: November 15, 2002 11:36 AM To: [EMAIL PROTECTED] Subject: [PHP-DB] Email Encryption? OFFTOPIC Sorry for the off topic guys.. But I've just been informed that an application we developed for a client whereby they use an Admin tool to setup user accounts into their store needs to have the login (username and password) encrypted. I am thinking PGP for this but to be honest I've never really worked with PGP and wouldn't have the first clue. Does anyone have any experience with this or can offer and advise at all? Again, sorry for the OT discussion. Aaron -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Email Encryption?
Instead of emailing them the login and password info, setup a fax gateway and fax it to them. I used this in a situation that needed to be HIPA compliant. (If security is still an issue, fold the fax before sending it.) :) HTH, =C= * * Cal Evans * The Virtual CIO * http://www.calevans.com * -Original Message- From: Aaron Wolski [mailto:aaronjw;martekbiz.com] Sent: Friday, November 15, 2002 10:47 AM To: 'Hutchins, Richard'; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? The user account is setup via the Admin util. The details are emailed to the account holder. Profile and Login information are contained within. Aaron -Original Message- From: Hutchins, Richard [mailto:Richard.Hutchins;GetingeCastle.com] Sent: November 15, 2002 11:43 AM To: [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Can you explain how e-mail fits into the Admin solution? What is the e-mail used for? Setting up the accounts/passwords or sending the account/password to the user? -Original Message- From: Aaron Wolski [mailto:aaronjw;martekbiz.com] Sent: Friday, November 15, 2002 11:39 AM To: 'Aaron Wolski'; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Just thinking here.. PGP is not an option as it would mean EACH user being setup would need the company's public key to decrypt. Not possible as they setup a few hundred accounts each month. Hmm.. anything else? Argh :( Aaron -Original Message- From: Aaron Wolski [mailto:aaronjw;martekbiz.com] Sent: November 15, 2002 11:36 AM To: [EMAIL PROTECTED] Subject: [PHP-DB] Email Encryption? OFFTOPIC Sorry for the off topic guys.. But I've just been informed that an application we developed for a client whereby they use an Admin tool to setup user accounts into their store needs to have the login (username and password) encrypted. I am thinking PGP for this but to be honest I've never really worked with PGP and wouldn't have the first clue. Does anyone have any experience with this or can offer and advise at all? Again, sorry for the OT discussion. Aaron -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Email Encryption?
Hmm... Could you provide more info on the fax gateway? Have not used this before and would appreciate the info you could provide so I can consider the development and implementation costs, etc. Note: this all has to be automatically done as to not create anymore work for my client. This system is supposed to simplify their lives not complicate :( Aaron -Original Message- From: Cal Evans [mailto:cal;calevans.com] Sent: November 15, 2002 11:54 AM To: Aaron Wolski; 'Hutchins, Richard'; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Instead of emailing them the login and password info, setup a fax gateway and fax it to them. I used this in a situation that needed to be HIPA compliant. (If security is still an issue, fold the fax before sending it.) :) HTH, =C= * * Cal Evans * The Virtual CIO * http://www.calevans.com * -Original Message- From: Aaron Wolski [mailto:aaronjw;martekbiz.com] Sent: Friday, November 15, 2002 10:47 AM To: 'Hutchins, Richard'; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? The user account is setup via the Admin util. The details are emailed to the account holder. Profile and Login information are contained within. Aaron -Original Message- From: Hutchins, Richard [mailto:Richard.Hutchins;GetingeCastle.com] Sent: November 15, 2002 11:43 AM To: [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Can you explain how e-mail fits into the Admin solution? What is the e-mail used for? Setting up the accounts/passwords or sending the account/password to the user? -Original Message- From: Aaron Wolski [mailto:aaronjw;martekbiz.com] Sent: Friday, November 15, 2002 11:39 AM To: 'Aaron Wolski'; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Just thinking here.. PGP is not an option as it would mean EACH user being setup would need the company's public key to decrypt. Not possible as they setup a few hundred accounts each month. Hmm.. anything else? Argh :( Aaron -Original Message- From: Aaron Wolski [mailto:aaronjw;martekbiz.com] Sent: November 15, 2002 11:36 AM To: [EMAIL PROTECTED] Subject: [PHP-DB] Email Encryption? OFFTOPIC Sorry for the off topic guys.. But I've just been informed that an application we developed for a client whereby they use an Admin tool to setup user accounts into their store needs to have the login (username and password) encrypted. I am thinking PGP for this but to be honest I've never really worked with PGP and wouldn't have the first clue. Does anyone have any experience with this or can offer and advise at all? Again, sorry for the OT discussion. Aaron -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Email Encryption?
Aaron, I don't know much about encryption other than just using PGP myself. However, I would think that encrypting an e-mail message and sending it to a user would require the user to have a key to decrypt it as well as some client side software to actually perform the decryption. Seems like an unreliable requirement. Are they dead set on encrypting the e-mail? If you can convince them otherwise, here's a solution I've been put through on a couple sites out there: 1. I sign up for an account by providing my e-mail address and a username. 2. I receive an e-mail from the site saying You signed up, this message confirms your e-mail address is valid and here's a temp password. Go change it. But this message does not contain the username I've entered on the site. 3. I go back to the site, enter my username and temp password and change it to something meaningful to me. 4. I get access to what I'm supposed to have access to. 5. I receive a confirmation e-mail just saying that the password for my account on this site has been changed. But, neither the username NOR password is not included in the e-mail. The security here is that the username is NEVER sent to the user. If e-mails were intercepted, the hacker would have the password, but not the username. As long as both are required for authentication, you should be set. You could reverse this logic by sending the username and never the password with similar results. Might not necessarily be the BEST solution, but I've seen it used in various places. -Original Message- From: Aaron Wolski [mailto:aaronjw;martekbiz.com] Sent: Friday, November 15, 2002 11:47 AM To: 'Hutchins, Richard'; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? The user account is setup via the Admin util. The details are emailed to the account holder. Profile and Login information are contained within. Aaron -Original Message- From: Hutchins, Richard [mailto:Richard.Hutchins;GetingeCastle.com] Sent: November 15, 2002 11:43 AM To: [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Can you explain how e-mail fits into the Admin solution? What is the e-mail used for? Setting up the accounts/passwords or sending the account/password to the user? -Original Message- From: Aaron Wolski [mailto:aaronjw;martekbiz.com] Sent: Friday, November 15, 2002 11:39 AM To: 'Aaron Wolski'; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Just thinking here.. PGP is not an option as it would mean EACH user being setup would need the company's public key to decrypt. Not possible as they setup a few hundred accounts each month. Hmm.. anything else? Argh :( Aaron -Original Message- From: Aaron Wolski [mailto:aaronjw;martekbiz.com] Sent: November 15, 2002 11:36 AM To: [EMAIL PROTECTED] Subject: [PHP-DB] Email Encryption? OFFTOPIC Sorry for the off topic guys.. But I've just been informed that an application we developed for a client whereby they use an Admin tool to setup user accounts into their store needs to have the login (username and password) encrypted. I am thinking PGP for this but to be honest I've never really worked with PGP and wouldn't have the first clue. Does anyone have any experience with this or can offer and advise at all? Again, sorry for the OT discussion. Aaron -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Email Encryption?
What I was getting it is, have the 'users' log into a secure web page and create their own user names and passwords (and enter their email address). Then just have the admin 'approve' the request and this sends them an email saying that their access has been granted - that way no information is ever passed via email. Regards, Jason Vincent Voice Architecture, Nortel Networks (905) 863-7480 (ESN 333) [EMAIL PROTECTED] -Original Message- From: Aaron Wolski [mailto:aaronjw;martekbiz.com] Sent: Friday, November 15, 2002 11:47 AM To: 'Hutchins, Richard'; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? The user account is setup via the Admin util. The details are emailed to the account holder. Profile and Login information are contained within. Aaron -Original Message- From: Hutchins, Richard [mailto:Richard.Hutchins;GetingeCastle.com] Sent: November 15, 2002 11:43 AM To: [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Can you explain how e-mail fits into the Admin solution? What is the e-mail used for? Setting up the accounts/passwords or sending the account/password to the user? -Original Message- From: Aaron Wolski [mailto:aaronjw;martekbiz.com] Sent: Friday, November 15, 2002 11:39 AM To: 'Aaron Wolski'; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Just thinking here.. PGP is not an option as it would mean EACH user being setup would need the company's public key to decrypt. Not possible as they setup a few hundred accounts each month. Hmm.. anything else? Argh :( Aaron -Original Message- From: Aaron Wolski [mailto:aaronjw;martekbiz.com] Sent: November 15, 2002 11:36 AM To: [EMAIL PROTECTED] Subject: [PHP-DB] Email Encryption? OFFTOPIC Sorry for the off topic guys.. But I've just been informed that an application we developed for a client whereby they use an Admin tool to setup user accounts into their store needs to have the login (username and password) encrypted. I am thinking PGP for this but to be honest I've never really worked with PGP and wouldn't have the first clue. Does anyone have any experience with this or can offer and advise at all? Again, sorry for the OT discussion. Aaron -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Email Encryption?
Yeah, This is one solutions I thought of. Problem is. the whole premise of the application is that it is hassle free for my client as well as their clients. By adding in this step (if last resort I will have to) we get rid of the hassle free concept and perhaps diminish the effectiveness () of the app. Thanks again. Aaron -Original Message- From: Jason Vincent [mailto:jayv;nortelnetworks.com] Sent: November 15, 2002 12:05 PM To: Aaron Wolski; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? What I was getting it is, have the 'users' log into a secure web page and create their own user names and passwords (and enter their email address). Then just have the admin 'approve' the request and this sends them an email saying that their access has been granted - that way no information is ever passed via email. Regards, Jason Vincent Voice Architecture, Nortel Networks (905) 863-7480 (ESN 333) [EMAIL PROTECTED] -Original Message- From: Aaron Wolski [mailto:aaronjw;martekbiz.com] Sent: Friday, November 15, 2002 11:47 AM To: 'Hutchins, Richard'; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? The user account is setup via the Admin util. The details are emailed to the account holder. Profile and Login information are contained within. Aaron -Original Message- From: Hutchins, Richard [mailto:Richard.Hutchins;GetingeCastle.com] Sent: November 15, 2002 11:43 AM To: [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Can you explain how e-mail fits into the Admin solution? What is the e-mail used for? Setting up the accounts/passwords or sending the account/password to the user? -Original Message- From: Aaron Wolski [mailto:aaronjw;martekbiz.com] Sent: Friday, November 15, 2002 11:39 AM To: 'Aaron Wolski'; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Just thinking here.. PGP is not an option as it would mean EACH user being setup would need the company's public key to decrypt. Not possible as they setup a few hundred accounts each month. Hmm.. anything else? Argh :( Aaron -Original Message- From: Aaron Wolski [mailto:aaronjw;martekbiz.com] Sent: November 15, 2002 11:36 AM To: [EMAIL PROTECTED] Subject: [PHP-DB] Email Encryption? OFFTOPIC Sorry for the off topic guys.. But I've just been informed that an application we developed for a client whereby they use an Admin tool to setup user accounts into their store needs to have the login (username and password) encrypted. I am thinking PGP for this but to be honest I've never really worked with PGP and wouldn't have the first clue. Does anyone have any experience with this or can offer and advise at all? Again, sorry for the OT discussion. Aaron -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Email Encryption?
Why not encrypt the password in the DB? If they lose their password, it cannot be sent to them. They chose it, so it doesn't need to be sent to them in their email. If they lose it, it is changed, and they have to change it again. That way, only if they are stupid do they have an extra step. The passwords in the DB are encrypted, so only if someone gets a hold of the DB can the passwords be cracked by brute force. md5 would work fine for this. It is the same security that FreeBSD uses in their password file. Peter On Fri, 15 Nov 2002, Aaron Wolski wrote: Well. Its not what they want.. it what one of their clients want (very big corporation with very unrealistic security standards - you'd think they were NASA or something *grumble*) Their thought is that someone could hack the received email, login to the store using the publically displayed logins details and reek havoc on the store, etc. *shrugs* Sadly this isn't open for debate as a solutions IS required. Any thoughts? Aaron -Original Message- From: Jason Vincent [mailto:jayv;nortelnetworks.com] Sent: November 15, 2002 11:42 AM To: Aaron Wolski; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Why email? If the Admin tool uses SSL, that is all you need. Regards, J -Original Message- From: Aaron Wolski [mailto:aaronjw;martekbiz.com] Sent: Friday, November 15, 2002 11:39 AM To: 'Aaron Wolski'; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Just thinking here.. PGP is not an option as it would mean EACH user being setup would need the company's public key to decrypt. Not possible as they setup a few hundred accounts each month. Hmm.. anything else? Argh :( Aaron -Original Message- From: Aaron Wolski [mailto:aaronjw;martekbiz.com] Sent: November 15, 2002 11:36 AM To: [EMAIL PROTECTED] Subject: [PHP-DB] Email Encryption? OFFTOPIC Sorry for the off topic guys.. But I've just been informed that an application we developed for a client whereby they use an Admin tool to setup user accounts into their store needs to have the login (username and password) encrypted. I am thinking PGP for this but to be honest I've never really worked with PGP and wouldn't have the first clue. Does anyone have any experience with this or can offer and advise at all? Again, sorry for the OT discussion. Aaron -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php --- Peter BeckmanSystems Engineer, Fairfax Cable Access Corporation [EMAIL PROTECTED] http://www.purplecow.com/ --- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Email Encryption?
My client is the one doing the setup of accounts. How would the account holder know of his password before it got encrypted? Hense the email. Aaron -Original Message- From: Peter Beckman [mailto:beckman;purplecow.com] Sent: November 15, 2002 12:35 PM To: Aaron Wolski Cc: 'Jason Vincent'; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Why not encrypt the password in the DB? If they lose their password, it cannot be sent to them. They chose it, so it doesn't need to be sent to them in their email. If they lose it, it is changed, and they have to change it again. That way, only if they are stupid do they have an extra step. The passwords in the DB are encrypted, so only if someone gets a hold of the DB can the passwords be cracked by brute force. md5 would work fine for this. It is the same security that FreeBSD uses in their password file. Peter On Fri, 15 Nov 2002, Aaron Wolski wrote: Well. Its not what they want.. it what one of their clients want (very big corporation with very unrealistic security standards - you'd think they were NASA or something *grumble*) Their thought is that someone could hack the received email, login to the store using the publically displayed logins details and reek havoc on the store, etc. *shrugs* Sadly this isn't open for debate as a solutions IS required. Any thoughts? Aaron -Original Message- From: Jason Vincent [mailto:jayv;nortelnetworks.com] Sent: November 15, 2002 11:42 AM To: Aaron Wolski; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Why email? If the Admin tool uses SSL, that is all you need. Regards, J -Original Message- From: Aaron Wolski [mailto:aaronjw;martekbiz.com] Sent: Friday, November 15, 2002 11:39 AM To: 'Aaron Wolski'; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Just thinking here.. PGP is not an option as it would mean EACH user being setup would need the company's public key to decrypt. Not possible as they setup a few hundred accounts each month. Hmm.. anything else? Argh :( Aaron -Original Message- From: Aaron Wolski [mailto:aaronjw;martekbiz.com] Sent: November 15, 2002 11:36 AM To: [EMAIL PROTECTED] Subject: [PHP-DB] Email Encryption? OFFTOPIC Sorry for the off topic guys.. But I've just been informed that an application we developed for a client whereby they use an Admin tool to setup user accounts into their store needs to have the login (username and password) encrypted. I am thinking PGP for this but to be honest I've never really worked with PGP and wouldn't have the first clue. Does anyone have any experience with this or can offer and advise at all? Again, sorry for the OT discussion. Aaron -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php --- Peter BeckmanSystems Engineer, Fairfax Cable Access Corporation [EMAIL PROTECTED] http://www.purplecow.com/ --- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re[2]: [PHP-DB] Email Encryption?
If they have real security standards (though you said unrealistic), they would realize that good encryption isn't decryptable, only comparable. Or try and make them realize as such. AW My client is the one doing the setup of accounts. AW How would the account holder know of his password before it got AW encrypted? AW Hense the email. AW Aaron AW -Original Message- AW From: Peter Beckman [mailto:beckman;purplecow.com] AW Sent: November 15, 2002 12:35 PM AW To: Aaron Wolski AW Cc: 'Jason Vincent'; [EMAIL PROTECTED] AW Subject: RE: [PHP-DB] Email Encryption? AW Why not encrypt the password in the DB? If they lose their password, it AW cannot be sent to them. They chose it, so it doesn't need to be sent to AW them in their email. If they lose it, it is changed, and they have to AW change it again. That way, only if they are stupid do they have an AW extra AW step. AW The passwords in the DB are encrypted, so only if someone gets a hold of AW the DB can the passwords be cracked by brute force. AW md5 would work fine for this. It is the same security that FreeBSD uses AW in AW their password file. AW Peter AW On Fri, 15 Nov 2002, Aaron Wolski wrote: Well. Its not what they want.. it what one of their clients want (very big corporation with very unrealistic security standards - you'd think AW they were NASA or something *grumble*) Their thought is that someone could hack the received email, login to the store using the publically displayed logins details and reek havoc on the store, etc. *shrugs* Sadly this isn't open for debate as a solutions IS required. Any thoughts? Aaron -Original Message- From: Jason Vincent [mailto:jayv;nortelnetworks.com] Sent: November 15, 2002 11:42 AM To: Aaron Wolski; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Why email? If the Admin tool uses SSL, that is all you need. Regards, J -Original Message- From: Aaron Wolski [mailto:aaronjw;martekbiz.com] Sent: Friday, November 15, 2002 11:39 AM To: 'Aaron Wolski'; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Just thinking here.. PGP is not an option as it would mean EACH user being setup would need the company's public key to decrypt. Not possible as they setup a few hundred accounts each month. Hmm.. anything else? Argh :( Aaron -Original Message- From: Aaron Wolski [mailto:aaronjw;martekbiz.com] Sent: November 15, 2002 11:36 AM To: [EMAIL PROTECTED] Subject: [PHP-DB] Email Encryption? OFFTOPIC Sorry for the off topic guys.. But I've just been informed that an application we developed for a client whereby they use an Admin tool to setup user accounts into AW their store needs to have the login (username and password) encrypted. I am thinking PGP for this but to be honest I've never really worked with PGP and wouldn't have the first clue. Does anyone have any experience with this or can offer and advise at all? Again, sorry for the OT discussion. Aaron -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php AW AW --- AW Peter BeckmanSystems Engineer, Fairfax Cable Access AW Corporation AW [EMAIL PROTECTED] AW http://www.purplecow.com/ AW AW --- AW -- AW PHP Database Mailing List (http://www.php.net/) AW To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Email Encryption?
What does the admin know about the client? Do their clients have account numbers for instance? If so, you could send them and email saying your user name is the same as your last name, and your password is the same as your user account number (an obviously don't disclose the account number in the email)- and have the app force them to change it the first time they log in. This way, even if the hacker intercepted the email, they would not know the clients account number from it and therefore not be able to hack in. Upon change, have the app email the client (assuming you have their email address on file) and let then know that someone has changed their account number, and if it wasn't them... blah blah Regards, J -Original Message- From: Aaron Wolski [mailto:aaronjw;martekbiz.com] Sent: Friday, November 15, 2002 1:18 PM To: 'Peter Beckman' Cc: Vincent, Jason [BRAM:1334:EXCH]; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? My client is the one doing the setup of accounts. How would the account holder know of his password before it got encrypted? Hense the email. Aaron -Original Message- From: Peter Beckman [mailto:beckman;purplecow.com] Sent: November 15, 2002 12:35 PM To: Aaron Wolski Cc: 'Jason Vincent'; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Why not encrypt the password in the DB? If they lose their password, it cannot be sent to them. They chose it, so it doesn't need to be sent to them in their email. If they lose it, it is changed, and they have to change it again. That way, only if they are stupid do they have an extra step. The passwords in the DB are encrypted, so only if someone gets a hold of the DB can the passwords be cracked by brute force. md5 would work fine for this. It is the same security that FreeBSD uses in their password file. Peter On Fri, 15 Nov 2002, Aaron Wolski wrote: Well. Its not what they want.. it what one of their clients want (very big corporation with very unrealistic security standards - you'd think they were NASA or something *grumble*) Their thought is that someone could hack the received email, login to the store using the publically displayed logins details and reek havoc on the store, etc. *shrugs* Sadly this isn't open for debate as a solutions IS required. Any thoughts? Aaron -Original Message- From: Jason Vincent [mailto:jayv;nortelnetworks.com] Sent: November 15, 2002 11:42 AM To: Aaron Wolski; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Why email? If the Admin tool uses SSL, that is all you need. Regards, J -Original Message- From: Aaron Wolski [mailto:aaronjw;martekbiz.com] Sent: Friday, November 15, 2002 11:39 AM To: 'Aaron Wolski'; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Just thinking here.. PGP is not an option as it would mean EACH user being setup would need the company's public key to decrypt. Not possible as they setup a few hundred accounts each month. Hmm.. anything else? Argh :( Aaron -Original Message- From: Aaron Wolski [mailto:aaronjw;martekbiz.com] Sent: November 15, 2002 11:36 AM To: [EMAIL PROTECTED] Subject: [PHP-DB] Email Encryption? OFFTOPIC Sorry for the off topic guys.. But I've just been informed that an application we developed for a client whereby they use an Admin tool to setup user accounts into their store needs to have the login (username and password) encrypted. I am thinking PGP for this but to be honest I've never really worked with PGP and wouldn't have the first clue. Does anyone have any experience with this or can offer and advise at all? Again, sorry for the OT discussion. Aaron -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php --- Peter BeckmanSystems Engineer, Fairfax Cable Access Corporation [EMAIL PROTECTED] http://www.purplecow.com/ --- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Email Encryption?
At the time of the account setup, you'll have the unencrypted and encrypted password. Send the email before it gets encrypted. Still, this is a little silly, since the email is unencrypted. I guess you could base64 encode the email, but that'd take an extra step. Oooh, what about this? Send an email that takes you to an https: page that only can be viewed by entering a valid code sent in another email? This https page, given the right code, will give you your username and password? The two separate emails provides a bit of obscurity, and the password is always encrypted. On the server side, if these accounts would only be accessed from certain IP blocks, you can block other requests. Peter On Fri, 15 Nov 2002, Aaron Wolski wrote: My client is the one doing the setup of accounts. How would the account holder know of his password before it got encrypted? Hense the email. Aaron -Original Message- From: Peter Beckman [mailto:beckman;purplecow.com] Sent: November 15, 2002 12:35 PM To: Aaron Wolski Cc: 'Jason Vincent'; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Why not encrypt the password in the DB? If they lose their password, it cannot be sent to them. They chose it, so it doesn't need to be sent to them in their email. If they lose it, it is changed, and they have to change it again. That way, only if they are stupid do they have an extra step. The passwords in the DB are encrypted, so only if someone gets a hold of the DB can the passwords be cracked by brute force. md5 would work fine for this. It is the same security that FreeBSD uses in their password file. Peter On Fri, 15 Nov 2002, Aaron Wolski wrote: Well. Its not what they want.. it what one of their clients want (very big corporation with very unrealistic security standards - you'd think they were NASA or something *grumble*) Their thought is that someone could hack the received email, login to the store using the publically displayed logins details and reek havoc on the store, etc. *shrugs* Sadly this isn't open for debate as a solutions IS required. Any thoughts? Aaron -Original Message- From: Jason Vincent [mailto:jayv;nortelnetworks.com] Sent: November 15, 2002 11:42 AM To: Aaron Wolski; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Why email? If the Admin tool uses SSL, that is all you need. Regards, J -Original Message- From: Aaron Wolski [mailto:aaronjw;martekbiz.com] Sent: Friday, November 15, 2002 11:39 AM To: 'Aaron Wolski'; [EMAIL PROTECTED] Subject: RE: [PHP-DB] Email Encryption? Just thinking here.. PGP is not an option as it would mean EACH user being setup would need the company's public key to decrypt. Not possible as they setup a few hundred accounts each month. Hmm.. anything else? Argh :( Aaron -Original Message- From: Aaron Wolski [mailto:aaronjw;martekbiz.com] Sent: November 15, 2002 11:36 AM To: [EMAIL PROTECTED] Subject: [PHP-DB] Email Encryption? OFFTOPIC Sorry for the off topic guys.. But I've just been informed that an application we developed for a client whereby they use an Admin tool to setup user accounts into their store needs to have the login (username and password) encrypted. I am thinking PGP for this but to be honest I've never really worked with PGP and wouldn't have the first clue. Does anyone have any experience with this or can offer and advise at all? Again, sorry for the OT discussion. Aaron -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php --- Peter BeckmanSystems Engineer, Fairfax Cable Access Corporation [EMAIL PROTECTED] http://www.purplecow.com/ --- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php --- Peter BeckmanSystems Engineer, Fairfax Cable Access Corporation [EMAIL PROTECTED] http://www.purplecow.com/ --- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php