Page 1 of 1

How people stores the password in database?

Posted: Wed Jul 20, 2005 4:25 am
by jeephp
Hi,
I need some help with storing password in mysql database or something similar.

i used to store the password in database using md5() function but there is no way to retrieve the

password back.

Now i want to know that -
is it standard and secure way to store password?
is there any other technique to store password so i can retrive it back?

Any advice on this would be highly appreciated.

Thanks
Paresh

Posted: Wed Jul 20, 2005 5:06 am
by harrisonad
as you said, you cannot decrypt what md5() function produced.
but you can use it to test if the given password, when encrypted using md5(), is exactly equal to the password stored in the db, which is also encrypted using md5().

Code: Select all

$given_pass = 'harrison_is_macho';
if(md5($given_pass)==$correct_pass){

Posted: Wed Jul 20, 2005 8:56 am
by dreamline
I always use MD5 encryption, since if somebody gets a hold of your database then they have to change the password be4 being able to login. The actual member notices right away when he can't login anymore...

However you are right MD5 can't be decrypted, so if somebody needs a new password then you have to create a new one, send it through mail to the user, encrypt it and store it again in the database.

That's how i do it, but i think it's a personal choice whether you use encryption or not. :)

You can also use your own routine to encrypt passwords somewhat. Like adding a value to every character of +1, and subtract that value if when logging in.. That's also an option, might be a bit of programming but i'm sure it'll work.. :)

Posted: Wed Jul 20, 2005 9:10 am
by hawleyjr
md5 is so 1990's...
However you are right MD5 can't be decrypted
You should google MD5 and reverse :)


lol, check out sha1() and be sure to add salt to every password.

Posted: Wed Jul 20, 2005 9:13 am
by infolock
hawleyjr wrote:md5 is so 1990's...
However you are right MD5 can't be decrypted
You should google MD5 and reverse :)


lol, check out sha1() and be sure to add salt to every password.

md5 can, indeed, be cracked, but not easily. The best step is to use encryption on encryption on encryption... that's what i do.

Posted: Wed Jul 20, 2005 10:17 am
by nielsene
infolock wrote:
md5 can, indeed, be cracked, but not easily. The best step is to use encryption on encryption on encryption... that's what i do.
It is not generally a good idea to layer encryptions methods on top of each other.. There are some systems where running one encryption on the results of a different one, or the same one, yields a weaker cryptographic result than the original by itself.

The MD5 hack, makes it easier for someone to generate a different plaintext, based on the original plaintext that will map to the same hash. In a hashed password environment, even if the attacker gains access to the hashed passwords, he doesn't have the original plaintext to use as the collision creation starting point. (Of course if he had the original password, why would he try to crack the hash).

The MD5 exploit is most dangerous in the "signed key" of a distributed binary/source code package. The plaintext is available for the world to see. The MD5 hash is published so people can self-compare. Now an attaccker can create a new binary/source code that will hash to the same MD5 and thus look legitimate and thus compromise the distribution channel.

Posted: Wed Jul 20, 2005 1:06 pm
by Roja
hawleyjr wrote:
However you are right MD5 can't be decrypted
You should google MD5 and reverse :)
You should actually *read* the results. It has nothing to do with reversing the process, and math disallows you to reproduce the original from the hash. It is designed to be lossy - purposely.

However, the recent findings have made it possible to use the original plaintext to make competing/replacement hashes that match. HUGE difference.
hawleyjr wrote: lol, check out sha1() and be sure to add salt to every password.
Perhaps you need to google some more too - sha1 has also been seriously compromised.

Try sha256 on for size. (And yes, don't forget the salt).

Posted: Wed Jul 20, 2005 1:09 pm
by timvw
P -> (K1) -> E

So if you are trying to decrypt this you need to find an invert so that

E -> (Kinverse) -> P

However if you have

P -> (K1) -> E1 -> (K2) -> E2

you still only need to find a K-1

E2 -> (Kinverse) -> P