| Nov 22, 2009 |
QUOTE(soleimanian @ Nov 17 2005, 03:45 PM) Hi, I need some help with storing password in mysql database or something similar. i used to store the password in database using md5() function but there is no way to retrieve thepassword back. - But that is the whole idea behind it - NOT TO BE ABLE TO decrypt passwords, the encryption process being just one-way. In almost any given scenario, you'll find the password being encrypted and stored the first time you enter it. From next time onwards, whenever you login, the newly entered password is again encrypted - the matched against the stored & encrytped form in the database. For security reasons password decryption routines are never built into the system. Why do you think, 99% of the web-based services (the more secure ones) never e-mail you your password, but instead ask you to set a new one when you forget your old one. SIMPLE - because your old password cannot be decrypted and mailed to you. Having a decryption system in place (even if it is not accessible to outsiders) opens up the doorway for a prodigal system administrator or some lesser mortal in the same office, to have a means to decrypt the passwords of other users and have some fun with 'em  Take for example - even on Linux, a sysadmin cannot KNOW or FIND OUT what a user's password is. In case it is lost or forgotten, at best he can reset it to something that the user desires. QUOTE Now i want to know that - is it standard and secure way to store password? is there any other technique to store password so i can retrive it back? The standard technique (one-way) is the most secure you can get, although you can use some other routine and not just a simple MD5 hash. If you're implementing this in your own application, you can easily use MySQL AES_ENCRYPT () function to store your passwords in an encrypted form (only constraint - the storage field in mysql has to be declared Binary). AES_ENCRYPT (Advanced Encryption Standard), however has a matching decryption function too - AES_DECRYPT - with which you can achieve what you're seeking to do... but this just serves to weaken the security mechanism - like a weak-link in the chain. Besides, to use either of these functions, you've to use a Secret Key - sort of a master password, which will be used to encrypt the stored passwords. You need to have this handy during decryption too..or else you can never get back the original pass. One idea, in case you want to implement this method, is to generate this secret key dynamically for each user based on some other stored data, say their name/address/phone/date of birth etc.. so each user will have a separate secret key, with which you encrypt/decrypt their passwords. Example: Some stored fields in the database: ============================
Now I use this to call the AES_ENCRYPT function and encrypt my password and put it in the password field in the DB along with another INSERT instruction to store the rest of the data: CODE INSERT INTO usertable ( First_Name, Last_Name, Phone, BirthDate ) VALUES ( '...', '...', '...', '......' ); UPDATE usertable SET Password = AES_ENCRYPT ( 'mypassword', 'seSy78910' ) WHERE UserID IN ( SELECT LAST_INSERT_ID FROM usertable ); There.. that statement should update the password field in your db with the encrypted form. By issuing these two statements together I can use the LAST_INSERT_ID to get the last inserted ID of the user (depends on the auto-incrementing field) and update the password. OR, You can issue both statements together in a single set of instructions, in this format: CODE INSERT INTO usertable ( First_Name, Last_Name, Phone, BirthDate, Password ) VALUES ( '...', '...', '...', '......', AES_ENCRYPT ( 'mypassword', 'seSy78910' ) ); Since the key to encrypt is being dynamically generated using some string manipulation routine, it'll always be unique for each user and quite secure in a sense. Only thing that you'll have to safeguard is this Key Generating Mechanism. If this falls into someone else's hands he can decrypt anybody's passwords in your db. So use some pretty ingenuous and complicated routine to generate this key. Hope this will put you on the right track.. Regards, m^e
you can write your own encryption and decryption functions to encrypt/decrypt the passwords
but in my opinion the best is to use the way not to have a possibility to decrypt 
WOW, m^e, thank you for this explanation. It really sheds light on some questions I have been aksing for years.
Serious, man, this is the first time I *really* understand one-way versus two-way encryption. Someone famous said, the people which can expain complicated matters with simple words are the real geniuses. I don't want to get into brown-nosing (remember, m^e, I used that term in my first post here 15 days ago), but this is an excellent example. Let me quote Albert Einstein, whom I admire among other things just for that, with another example: When asked how to explain the wireless telegraph, he responded, "The wireless telegraph is not difficult to understand. The ordinary telegraph is like a very long cat. You pull the tail in New York, and it meows in Los Angeles. The wireless is the same, only without the cat." 
Hahahaha thank you for that curare. That was simply a brilliant example. Thanks for the terrific new addition to my quotes & phrases handbook
And since you brough the term brown-nosing up, I remember seeing an extremely hilarious rendition of it on Webster.Com.. QUOTE Main Entry: brown·nose Pronunciation: 'brau(n)-"nOz Function: transitive verb Etymology: from the implication that servility is equivalent to kissing the hinder parts of the person from whom advancement is sought slang : to ingratiate oneself with : curry favor with - brownnose noun - brown·nos·er noun Source: http://www.webster.com/cgi-bin/dictionary?va=brownnosing What can I say except - "Very well put"
Similar Topics
Keywords : storing, encrypted, passwords, mysql
(3) Sometimes in a table especially if i do alot of things in it i start seeing overhead then a size (3) It is good practice to use multiple tables to sort out big amounts of data. But once you do that it (4) any website provide free host mysql host? i need it because i am using 000webhost.com now but it XD (9) I posted PHP on computer? , but for some reason it doesn't show :/. Anyways I am wondering if (2) Hello .. I would like to ask if i can use use Microsoft excel files in order to make entries to (1) Hi i am new, I have a problem in understanding the query decomposition in D-DB. Can anyone help me (0) HI, I've hit the grain while trying to import file to mysql database - I need to enable file mysql connection error (7) ok so here's my web page... http://lacrossems.t35.org/ it only lags cause its trying to (4) I just got my site hacked!! (don't worry because it is not on astahost) Actually it is a (6) SUN bought the swedish company MYSQL for much money, around 2million each worker got in the company, Come in here if you think MySQL is soo hard! (14) Doesn't anybody think MySQL is so hard to code? I mean think about it, you need loads of How do i do this? (5) Hi guys, ive got a registration system that looks something like the one below: Firstname: When trying to install Joomla (16) I don't know if this is the correct forum, but here is my question: I'm trying to test Please Help! (8) I seem to have a problem with accessing my database with proper permissions. I have set the my is Navcat any good? (9) Hello all, i ve recently come across NavCat (GUI tool) for MySQL. I have not bought a copy yet, just (6) Hello to all of you beautifull people out there, I am new to MySQL, i just wanted to know if its a (27) Ok, I'm coding a project which is a leap than what I'd normally do. Before, I've always (19) I am new to MySql and have just created a database after using a script. My problem is not the I'd like to batch them (6) Hi, maybe one of you already came across this, so I ask. I'll continue searching on. I've (7) Hi. i'm interested in alternatives to MySql combined with php. what database else can i use to Help me connect my flash Work with MySql (8) I know Flash and mysql but could not figure out if I could ever connect these? I want to have a (7) Hi..I want to ask if its possible to automatically mirror my mysql databases into another mysql (9) I have a couple of .frm files with no corresponding data or index files. Is it possible to recover (8) My friends have a little forum running here . The problem is that quite often we get the following MySQL server cannot be started (9) I try to upgrade my MySQL server from 4.018 to 4.1.10a. Firstly, I downloaded mysql-4.1.10a (not the I was able to export but where's import? (3) I am having hard times finding that import csv in the mysql phpmyadmin. I once worked on some csv Any solutions ?? (4) Hi, Can anyone provide me with a quick example of fetching a MySQL Datetime Field and converting it how to replicate mysql in realtime (4) i dont know if this might be useful to ppl here, but this is a very good knowledge for serious (3) I'm trying to insert about 500 rows into mysql, but I keep getting errors. If I copy and paste Looking for storing, encrypted, passwords, mysql
|
 Help In Storing Encrypted Passwords In MySQL |
Affordable Web Hosting, Low cost Web Hosting - ComputingHost.com
