How people stores the password in database?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
jeephp
Forum Newbie
Posts: 16
Joined: Sat Apr 23, 2005 4:42 am

How people stores the password in database?

Post by jeephp »

Hi,
I need some help with storing password in mysql database or something similar.

i used to store the password in database using md5() function but there is no way to retrieve the

password back.

Now i want to know that -
is it standard and secure way to store password?
is there any other technique to store password so i can retrive it back?

Any advice on this would be highly appreciated.

Thanks
Paresh
User avatar
harrisonad
Forum Contributor
Posts: 288
Joined: Fri Oct 15, 2004 4:58 am
Location: Philippines
Contact:

Post by harrisonad »

as you said, you cannot decrypt what md5() function produced.
but you can use it to test if the given password, when encrypted using md5(), is exactly equal to the password stored in the db, which is also encrypted using md5().

Code: Select all

$given_pass = 'harrison_is_macho';
if(md5($given_pass)==$correct_pass){
dreamline
Forum Contributor
Posts: 158
Joined: Fri May 28, 2004 2:37 am

Post by dreamline »

I always use MD5 encryption, since if somebody gets a hold of your database then they have to change the password be4 being able to login. The actual member notices right away when he can't login anymore...

However you are right MD5 can't be decrypted, so if somebody needs a new password then you have to create a new one, send it through mail to the user, encrypt it and store it again in the database.

That's how i do it, but i think it's a personal choice whether you use encryption or not. :)

You can also use your own routine to encrypt passwords somewhat. Like adding a value to every character of +1, and subtract that value if when logging in.. That's also an option, might be a bit of programming but i'm sure it'll work.. :)
User avatar
hawleyjr
BeerMod
Posts: 2170
Joined: Tue Jan 13, 2004 4:58 pm
Location: Jax FL & Spokane WA USA

Post by hawleyjr »

md5 is so 1990's...
However you are right MD5 can't be decrypted
You should google MD5 and reverse :)


lol, check out sha1() and be sure to add salt to every password.
User avatar
infolock
DevNet Resident
Posts: 1708
Joined: Wed Sep 25, 2002 7:47 pm

Post by infolock »

hawleyjr wrote:md5 is so 1990's...
However you are right MD5 can't be decrypted
You should google MD5 and reverse :)


lol, check out sha1() and be sure to add salt to every password.

md5 can, indeed, be cracked, but not easily. The best step is to use encryption on encryption on encryption... that's what i do.
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

infolock wrote:
md5 can, indeed, be cracked, but not easily. The best step is to use encryption on encryption on encryption... that's what i do.
It is not generally a good idea to layer encryptions methods on top of each other.. There are some systems where running one encryption on the results of a different one, or the same one, yields a weaker cryptographic result than the original by itself.

The MD5 hack, makes it easier for someone to generate a different plaintext, based on the original plaintext that will map to the same hash. In a hashed password environment, even if the attacker gains access to the hashed passwords, he doesn't have the original plaintext to use as the collision creation starting point. (Of course if he had the original password, why would he try to crack the hash).

The MD5 exploit is most dangerous in the "signed key" of a distributed binary/source code package. The plaintext is available for the world to see. The MD5 hash is published so people can self-compare. Now an attaccker can create a new binary/source code that will hash to the same MD5 and thus look legitimate and thus compromise the distribution channel.
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

hawleyjr wrote:
However you are right MD5 can't be decrypted
You should google MD5 and reverse :)
You should actually *read* the results. It has nothing to do with reversing the process, and math disallows you to reproduce the original from the hash. It is designed to be lossy - purposely.

However, the recent findings have made it possible to use the original plaintext to make competing/replacement hashes that match. HUGE difference.
hawleyjr wrote: lol, check out sha1() and be sure to add salt to every password.
Perhaps you need to google some more too - sha1 has also been seriously compromised.

Try sha256 on for size. (And yes, don't forget the salt).
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

P -> (K1) -> E

So if you are trying to decrypt this you need to find an invert so that

E -> (Kinverse) -> P

However if you have

P -> (K1) -> E1 -> (K2) -> E2

you still only need to find a K-1

E2 -> (Kinverse) -> P
Post Reply