PHP & MySQL security: one-way encryption Vs two-way encrypti

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
lauthiamkok
Forum Contributor
Posts: 153
Joined: Wed Apr 01, 2009 2:23 pm
Location: Plymouth, United Kingdom

PHP & MySQL security: one-way encryption Vs two-way encrypti

Post by lauthiamkok »

Hi,

I have read about using MySQL AES_ENCRYPT/AES_DECRYPT (two-way encryption) is less secure than using PHP - hash() (one-way encryption).

http://bytes.com/topic/php/answers/8317 ... es_decrypt

Is it true that it is more secure that 'Rather than send the User his password, simply send him a link that he can click on to reset his password, instead.'?

And on top of that, if I am using MySQL AES_ENCRYPT/AES_DECRYPT (which I quite keen on...), how do I define the key which can be accepted by MySQL? for instance, is the length of the key important? or can I simple use '123123@123123' as my key?

thanks!
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: PHP & MySQL security: one-way encryption Vs two-way encr

Post by flying_circus »

lauthiamkok wrote:Hi,

I have read about using MySQL AES_ENCRYPT/AES_DECRYPT (two-way encryption) is less secure than using PHP - hash() (one-way encryption).

http://bytes.com/topic/php/answers/8317 ... es_decrypt

Is it true that it is more secure that 'Rather than send the User his password, simply send him a link that he can click on to reset his password, instead.'?

And on top of that, if I am using MySQL AES_ENCRYPT/AES_DECRYPT (which I quite keen on...), how do I define the key which can be accepted by MySQL? for instance, is the length of the key important? or can I simple use '123123@123123' as my key?

thanks!
Hashing is not encryption, hashing is hashing. You do not want to encrypt user passwords, because if your system is compromised, what stops the attacker from decrypting all of the passwords?

Yes, never send a user password through email. Always send a link in which they have to reset the password. Either send them a token/temp password which is valid for a short time or make them answer a security question.

At registration time generate a random string (salt) and store it in the user's record. Use a filesystem pepper and hash them and the password together. That is the hashed password you store in the database. When the user tries to log in, fetch his salt from the database (by username), then hash his user supplied password, salt, and pepper together and compare it to what's stored in the database as a password hash. If they match, the user has supplied to correct password.

There would never be a reason for you (the system admin or your staff) to decrypt a user password and send it to them in plain text.
lauthiamkok
Forum Contributor
Posts: 153
Joined: Wed Apr 01, 2009 2:23 pm
Location: Plymouth, United Kingdom

Re: PHP & MySQL security: one-way encryption Vs two-way encr

Post by lauthiamkok »

thanks so much for the reply. now know about the password security better! :D
Post Reply