RE: [PHP-DB] Decrypting PASSWORD() from MySQL
good point well made. this system has pretty much everything we need - thanks! -Original Message- From: Ryan Marrs [mailto:[EMAIL PROTECTED]] Sent: 20 December 2001 16:17 To: 'Zach Curtis'; matt stewart Cc: [EMAIL PROTECTED] Subject: RE: [PHP-DB] Decrypting PASSWORD() from MySQL Or what may be even better at that point (to keep someone from pestering another user and changing their password. Email them a randomly generated string based on their username, store that in a database, then send them to a page to enter the string (or pass it through the url.) IE. I'm Joe, I lost my password, I click Lost Password. It emails me this: http://this.domain.com/passwordreset.php?un=joe&gen=2lkfh4j2lk34klb25bmn425k l23k5b Then it will change my password to a randomly generated string and email it to me. After that, it will allow me to change my password. That way you don't have a schmuck in there guessing usernames, or pestering people they don't like by clicking "Lost Password". If someone doesn't check their mail quite frequently, they'll just get "Incorrect Password" and be emailing you for support every 5 minutes. Ryan Marrs Web Developer Sandler and Travis Trade Advisory Services, Inc. 248.474.7200 x 183 http://www.strtrade.com -Original Message- From: Zach Curtis [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 20, 2001 11:15 AM To: matt stewart Cc: [EMAIL PROTECTED] Subject: RE: [PHP-DB] Decrypting PASSWORD() from MySQL This is how I'm going to work things. Store the password using PASSWORD() in the table. Allow user to request their forgotten username and/or password. If the password is requested, I will reset the password to a random value and store this in the table using PASSWORD(). The username and/or password will then be emailed to the user. I will also provide a location where the user can change their password once they are authenticated in the members area. I think this approach allows the password to maintain a certain level of security and give the user the greatest flexibility on maintaining their password. Zach -Original Message- From: matt stewart [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 20, 2001 2:19 AM To: 'Zach Curtis'; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [PHP-DB] Decrypting PASSWORD() from MySQL I would go for the "generate new random password" approach - email the new random password to the registered email address, then they can log in using it and reset it to whatever they want. probably easier than using lots of code encrypting and decrypting things? Let me know what you decide on, and if you do enc/decrypt stuff, i'd be interested in seeing the code for a similar thing myself! Matt -Original Message- From: Zach Curtis [mailto:[EMAIL PROTECTED]] Sent: 19 December 2001 20:27 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [PHP-DB] Decrypting PASSWORD() from MySQL Thanks for the suggestions. I guess I can try to: A) Store the password in plaintext if I need to retrieve the password. B) Store the password using PASSWORD() and then generate a new random password if needed, replacing the old password. C) Look into mcrypt, ENCODE()/DECODE(), encipher/decipher Thanks, Zach -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 19, 2001 12:56 PM To: Zach Curtis Cc: [EMAIL PROTECTED] Subject: RE: [PHP-DB] Decrypting PASSWORD() from MySQL Yet another example of ted's out-to-lunchness... Use the mcrypt functions on the password... -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.307 / Virus Database: 168 - Release Date: 11/12/01 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.307 / Virus Database: 168 - Release Date: 11/12/01 -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.307 / Virus Database: 168 - Release Date: 11/12/01 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.307 / Virus Database: 168 - Releas
RE: [PHP-DB] Decrypting PASSWORD() from MySQL
Or what may be even better at that point (to keep someone from pestering another user and changing their password. Email them a randomly generated string based on their username, store that in a database, then send them to a page to enter the string (or pass it through the url.) IE. I'm Joe, I lost my password, I click Lost Password. It emails me this: http://this.domain.com/passwordreset.php?un=joe&gen=2lkfh4j2lk34klb25bmn425k l23k5b Then it will change my password to a randomly generated string and email it to me. After that, it will allow me to change my password. That way you don't have a schmuck in there guessing usernames, or pestering people they don't like by clicking "Lost Password". If someone doesn't check their mail quite frequently, they'll just get "Incorrect Password" and be emailing you for support every 5 minutes. Ryan Marrs Web Developer Sandler and Travis Trade Advisory Services, Inc. 248.474.7200 x 183 http://www.strtrade.com -Original Message- From: Zach Curtis [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 20, 2001 11:15 AM To: matt stewart Cc: [EMAIL PROTECTED] Subject: RE: [PHP-DB] Decrypting PASSWORD() from MySQL This is how I'm going to work things. Store the password using PASSWORD() in the table. Allow user to request their forgotten username and/or password. If the password is requested, I will reset the password to a random value and store this in the table using PASSWORD(). The username and/or password will then be emailed to the user. I will also provide a location where the user can change their password once they are authenticated in the members area. I think this approach allows the password to maintain a certain level of security and give the user the greatest flexibility on maintaining their password. Zach -Original Message- From: matt stewart [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 20, 2001 2:19 AM To: 'Zach Curtis'; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [PHP-DB] Decrypting PASSWORD() from MySQL I would go for the "generate new random password" approach - email the new random password to the registered email address, then they can log in using it and reset it to whatever they want. probably easier than using lots of code encrypting and decrypting things? Let me know what you decide on, and if you do enc/decrypt stuff, i'd be interested in seeing the code for a similar thing myself! Matt -Original Message- From: Zach Curtis [mailto:[EMAIL PROTECTED]] Sent: 19 December 2001 20:27 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [PHP-DB] Decrypting PASSWORD() from MySQL Thanks for the suggestions. I guess I can try to: A) Store the password in plaintext if I need to retrieve the password. B) Store the password using PASSWORD() and then generate a new random password if needed, replacing the old password. C) Look into mcrypt, ENCODE()/DECODE(), encipher/decipher Thanks, Zach -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 19, 2001 12:56 PM To: Zach Curtis Cc: [EMAIL PROTECTED] Subject: RE: [PHP-DB] Decrypting PASSWORD() from MySQL Yet another example of ted's out-to-lunchness... Use the mcrypt functions on the password... -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.307 / Virus Database: 168 - Release Date: 11/12/01 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.307 / Virus Database: 168 - Release Date: 11/12/01 -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP-DB] Decrypting PASSWORD() from MySQL
This is how I'm going to work things. Store the password using PASSWORD() in the table. Allow user to request their forgotten username and/or password. If the password is requested, I will reset the password to a random value and store this in the table using PASSWORD(). The username and/or password will then be emailed to the user. I will also provide a location where the user can change their password once they are authenticated in the members area. I think this approach allows the password to maintain a certain level of security and give the user the greatest flexibility on maintaining their password. Zach -Original Message- From: matt stewart [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 20, 2001 2:19 AM To: 'Zach Curtis'; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [PHP-DB] Decrypting PASSWORD() from MySQL I would go for the "generate new random password" approach - email the new random password to the registered email address, then they can log in using it and reset it to whatever they want. probably easier than using lots of code encrypting and decrypting things? Let me know what you decide on, and if you do enc/decrypt stuff, i'd be interested in seeing the code for a similar thing myself! Matt -Original Message- From: Zach Curtis [mailto:[EMAIL PROTECTED]] Sent: 19 December 2001 20:27 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [PHP-DB] Decrypting PASSWORD() from MySQL Thanks for the suggestions. I guess I can try to: A) Store the password in plaintext if I need to retrieve the password. B) Store the password using PASSWORD() and then generate a new random password if needed, replacing the old password. C) Look into mcrypt, ENCODE()/DECODE(), encipher/decipher Thanks, Zach -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 19, 2001 12:56 PM To: Zach Curtis Cc: [EMAIL PROTECTED] Subject: RE: [PHP-DB] Decrypting PASSWORD() from MySQL Yet another example of ted's out-to-lunchness... Use the mcrypt functions on the password... -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.307 / Virus Database: 168 - Release Date: 11/12/01 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.307 / Virus Database: 168 - Release Date: 11/12/01 -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP-DB] Decrypting PASSWORD() from MySQL
I would go for the "generate new random password" approach - email the new random password to the registered email address, then they can log in using it and reset it to whatever they want. probably easier than using lots of code encrypting and decrypting things? Let me know what you decide on, and if you do enc/decrypt stuff, i'd be interested in seeing the code for a similar thing myself! Matt -Original Message- From: Zach Curtis [mailto:[EMAIL PROTECTED]] Sent: 19 December 2001 20:27 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [PHP-DB] Decrypting PASSWORD() from MySQL Thanks for the suggestions. I guess I can try to: A) Store the password in plaintext if I need to retrieve the password. B) Store the password using PASSWORD() and then generate a new random password if needed, replacing the old password. C) Look into mcrypt, ENCODE()/DECODE(), encipher/decipher Thanks, Zach -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 19, 2001 12:56 PM To: Zach Curtis Cc: [EMAIL PROTECTED] Subject: RE: [PHP-DB] Decrypting PASSWORD() from MySQL Yet another example of ted's out-to-lunchness... Use the mcrypt functions on the password... -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.307 / Virus Database: 168 - Release Date: 11/12/01 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.307 / Virus Database: 168 - Release Date: 11/12/01 -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DB] Decrypting PASSWORD() from MySQL
On Wed, Dec 19, 2001 at 12:24:02PM -0700, Zach Curtis wrote:
> I have a form for a user to request their forgotten username and password by
> entering their email address. I then process this and use mail() to send
> them their username and password. However, the password is stored in an
> encrypted PASSWORD('password') field in the MySQL table. How can I retrieve
> the decrypted password in a SELECT statement?
You can't. It's a one way encryption. It even says so in the MySQL
Reference manual entry for PASSWORD().
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP-DB] Decrypting PASSWORD() from MySQL
Thanks for the suggestions. I guess I can try to: A) Store the password in plaintext if I need to retrieve the password. B) Store the password using PASSWORD() and then generate a new random password if needed, replacing the old password. C) Look into mcrypt, ENCODE()/DECODE(), encipher/decipher Thanks, Zach -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 19, 2001 12:56 PM To: Zach Curtis Cc: [EMAIL PROTECTED] Subject: RE: [PHP-DB] Decrypting PASSWORD() from MySQL Yet another example of ted's out-to-lunchness... Use the mcrypt functions on the password... -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP-DB] Decrypting PASSWORD() from MySQL
Yet another example of ted's out-to-lunchness... Use the mcrypt functions on the password... -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP-DB] Decrypting PASSWORD() from MySQL
Here's another approach: use MySQL's encipher/decipher function and have a super-secret password to encrypt/decrypt. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP-DB] Decrypting PASSWORD() from MySQL
No. Rather, it's "computationally infeasible". On Wed, 19 Dec 2001, Zach Curtis wrote: > Fortunately, this application is still in testing, therefore the users and > passwords in the db are meaningless. However, I thought storing encrypted > passwords in a db was a good idea, that is if can retrieve the decrypted > password. Can this be done? -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP-DB] Decrypting PASSWORD() from MySQL
Fortunately, this application is still in testing, therefore the users and
passwords in the db are meaningless. However, I thought storing encrypted
passwords in a db was a good idea, that is if can retrieve the decrypted
password. Can this be done?
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, December 19, 2001 12:29 PM
To: Zach Curtis
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP-DB] Decrypting PASSWORD() from MySQL
Well, it's (intended to be) difficult. Perhaps you can NULL it out and
have them put in a new password...
On Wed, 19 Dec 2001, Zach Curtis wrote:
> I have a form for a user to request their forgotten username and password
by
> entering their email address. I then process this and use mail() to send
> them their username and password. However, the password is stored in an
> encrypted PASSWORD('password') field in the MySQL table. How can I
retrieve
> the decrypted password in a SELECT statement?
>
> For example, the following results in retrieving the encrypted password.
>
> $result = mysql_query("SELECT userName,password,email FROM members WHERE
> email='$email'");
> if (!$result)
> echo "Could not execute database query:" .
> mysql_error() . "";
>
> $row = mysql_fetch_array($result);
> $userName = "$row[userName]";
> $password = "$row[password]";
> $email = "$row[email]";
>
>
> Thank you.
>
>
> Zach Curtis
> Programmer/Analyst
> POPULUS
>
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
>
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DB] Decrypting PASSWORD() from MySQL
Well, it's (intended to be) difficult. Perhaps you can NULL it out and
have them put in a new password...
On Wed, 19 Dec 2001, Zach Curtis wrote:
> I have a form for a user to request their forgotten username and password by
> entering their email address. I then process this and use mail() to send
> them their username and password. However, the password is stored in an
> encrypted PASSWORD('password') field in the MySQL table. How can I retrieve
> the decrypted password in a SELECT statement?
>
> For example, the following results in retrieving the encrypted password.
>
> $result = mysql_query("SELECT userName,password,email FROM members WHERE
> email='$email'");
> if (!$result)
> echo "Could not execute database query:" .
> mysql_error() . "";
>
> $row = mysql_fetch_array($result);
> $userName = "$row[userName]";
> $password = "$row[password]";
> $email = "$row[email]";
>
>
> Thank you.
>
>
> Zach Curtis
> Programmer/Analyst
> POPULUS
>
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
>
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
