Page 1 of 1

PHP & MySQL security: one-way encryption Vs two-way encrypti

Posted: Sat Oct 09, 2010 10:56 am
by lauthiamkok
Hi,

I have read about using MySQL AES_ENCRYPT/AES_DECRYPT (two-way encryption) is less secure than using PHP - hash() (one-way encryption).

http://bytes.com/topic/php/answers/8317 ... es_decrypt

Is it true that it is more secure that 'Rather than send the User his password, simply send him a link that he can click on to reset his password, instead.'?

And on top of that, if I am using MySQL AES_ENCRYPT/AES_DECRYPT (which I quite keen on...), how do I define the key which can be accepted by MySQL? for instance, is the length of the key important? or can I simple use '123123@123123' as my key?

thanks!

Re: PHP & MySQL security: one-way encryption Vs two-way encr

Posted: Sat Oct 09, 2010 12:03 pm
by flying_circus
lauthiamkok wrote:Hi,

I have read about using MySQL AES_ENCRYPT/AES_DECRYPT (two-way encryption) is less secure than using PHP - hash() (one-way encryption).

http://bytes.com/topic/php/answers/8317 ... es_decrypt

Is it true that it is more secure that 'Rather than send the User his password, simply send him a link that he can click on to reset his password, instead.'?

And on top of that, if I am using MySQL AES_ENCRYPT/AES_DECRYPT (which I quite keen on...), how do I define the key which can be accepted by MySQL? for instance, is the length of the key important? or can I simple use '123123@123123' as my key?

thanks!
Hashing is not encryption, hashing is hashing. You do not want to encrypt user passwords, because if your system is compromised, what stops the attacker from decrypting all of the passwords?

Yes, never send a user password through email. Always send a link in which they have to reset the password. Either send them a token/temp password which is valid for a short time or make them answer a security question.

At registration time generate a random string (salt) and store it in the user's record. Use a filesystem pepper and hash them and the password together. That is the hashed password you store in the database. When the user tries to log in, fetch his salt from the database (by username), then hash his user supplied password, salt, and pepper together and compare it to what's stored in the database as a password hash. If they match, the user has supplied to correct password.

There would never be a reason for you (the system admin or your staff) to decrypt a user password and send it to them in plain text.

Re: PHP & MySQL security: one-way encryption Vs two-way encr

Posted: Sat Oct 09, 2010 12:29 pm
by lauthiamkok
thanks so much for the reply. now know about the password security better! :D