Page 1 of 1
Storing passwords in Oracle
Posted: Mon Oct 25, 2004 4:05 am
by Tubbietoeter
Hi,
I want to keep users to a web site in a database. The passwords must be encrypted. If the user logs in, the password he entered must be compared to the password that is stored in the database.
I haven't found an Oracle function to encrypt and decrypt passwords, so I guess I would have to do that in PHP.
What would be the best approach? As far as I know there are several possibilities but I just don't know which one is best.
Can someone maybe post some code here I could use?
Thanks,
Steff
Posted: Mon Oct 25, 2004 7:06 am
by kettle_drum
You NEVER need to decrypt a password. All you do is encode the password the user enters and then compair that value with what is stored in the database. md5() is usually fine for the encoding.
Posted: Mon Oct 25, 2004 7:21 am
by m3mn0n
It does make the traditional "Forgot Your Password" feature rather obsolete, but instead of displaying the password they forgot, you just need to take them to an area to make a new one.
Posted: Mon Oct 25, 2004 12:55 pm
by kettle_drum
Well its also far more secure if you never decrypt the password. With things like "forgot your password" where it emails you your password is very insecure as anybody could intercept it or read your mail, and with users generally using the same password for all things - its a huge problem.
Posted: Mon Oct 25, 2004 1:13 pm
by Weirdan
kettle_drum wrote: With things like "forgot your password" where it emails you your password is very insecure as anybody could intercept it or read your mail, and with users generally using the same password for all things - its a huge problem.
Forgetting password is insecure by definition
Tubbietoeter wrote:The passwords must be encrypted. If the user logs in, the password he entered must be compared to the password that is stored in the database.
[php_man]md5[/php_man] or [php_man]sha1[/php_man] is what you need.
PS: There were rumours that someone has found md5 collision, not sure if it was true but anyway...
Posted: Tue Oct 26, 2004 4:04 am
by Tubbietoeter
Thanks all. That is what I needed to know.
So a varchar2 datatype should be fine for Oracle then. Cool.