Page 1 of 1
Storing passwords
Posted: Thu Apr 20, 2006 7:27 am
by hessodreamy
I currently encrypt passwords to store then in a database. Fine. And when people forget their passwords I would have thought you'd need to send them a new random password and put the encrypted version in the DB.
But how about some sites which, when you forget your password, they email it to you? Am I right in saying that they must be storing it unencrypted?
Re: Storing passwords
Posted: Thu Apr 20, 2006 7:36 am
by Chris Corbyn
hessodreamy wrote:I currently encrypt passwords to store then in a database. Fine. And when people forget their passwords I would have thought you'd need to send them a new random password and put the encrypted version in the DB.
But how about some sites which, when you forget your password, they email it to you? Am I right in saying that they must be storing it unencrypted?
If they encrypt it they can decrypt it again. If they hash it then they can't really reverse it (ok, it's not impossible to guess via a tedious collision/tunnel proccess).
What I'm trying to say is that hashing and ecryption are not the same
That aside, yes, many sites do store passwords in their plain original format. And no.. that's not the right thing to do
Sounds like you're on the correct track anyway with what you're doing.
Posted: Thu Apr 20, 2006 7:38 am
by hessodreamy
Cheers.
I also just found this discussion on it:
viewtopic.php?t=42260
Posted: Thu Apr 20, 2006 7:42 am
by hessodreamy
Also how about storing credit card details in session data. (Over ssl)
I would immediately have serious misgivings about it, but if its encrypted is it acceptable?
(I'm only thinking from the point of view of if the information is invalid/rejected, showing them the info they previously entered would be helpful in seeing where/if they went wrong)
Posted: Thu Apr 20, 2006 7:44 am
by Chris Corbyn
hessodreamy wrote:Also how about storing credit card details in session data. (Over ssl)
I would immediately have serious misgivings about it, but if its encrypted is it acceptable?
(I'm only thinking from the point of view of if the information is invalid/rejected, showing them the info they previously entered would be helpful in seeing where/if they went wrong)
I personally wouldn't store it in a session. Can't you use a password protected database for that, even if just temporarily?
If you need to use sessions for it you may want to check your session save path and session save handler to keep that data as private as possible. If this isn't a shared hosting server then all that stuff I said is nowhere near as important

Posted: Thu Apr 20, 2006 7:53 am
by hessodreamy
Ah, yeah. It's a dedicated server. But still...
I'm probably not going to store the card details in any way at the moment, was just weighing up the 'nay's and 'yay's
Re: Storing passwords
Posted: Thu Apr 20, 2006 8:11 am
by Roja
hessodreamy wrote:I currently encrypt passwords to store then in a database. Fine. And when people forget their passwords I would have thought you'd need to send them a new random password and put the encrypted version in the DB.
But how about some sites which, when you forget your password, they email it to you? Am I right in saying that they must be storing it unencrypted?
They could be using two-way encryption instead of hashing (which I recommend against).
The first sequence you describe is the one I suggest following.
Posted: Thu Apr 20, 2006 8:14 am
by hessodreamy
oh, now I AM confused. Why would you recommend against encrypting the passwords? Not secure enough?
Posted: Thu Apr 20, 2006 8:18 am
by Roja
hessodreamy wrote:Also how about storing credit card details in session data. (Over ssl)
I would immediately have serious misgivings about it, but if its encrypted is it acceptable?
(I'm only thinking from the point of view of if the information is invalid/rejected, showing them the info they previously entered would be helpful in seeing where/if they went wrong)
Credit card details are just about the most dangerous piece of information on the planet after SSN's. Personally, I'd avoid storing or processing them at all costs.
Posted: Thu Apr 20, 2006 8:43 am
by Maugrim_The_Reaper
oh, now I AM confused. Why would you recommend against encrypting the passwords? Not secure enough?
Anything encrypted can be decrypted. Anything hashed cannot (assuming you use a strong hashing algorithm).
The reason a password is suggested to be hashed, and not encrypted, is that is has no utility to anyone other than the User. If the server has no use for it, why store an encrypted version at all? At least when hashed it is not recoverable should a hacker or other get access to a list of all user data.
Only change to your user account processes is creating a random password in the Forgotten Password feature, and having to compare a hash generated from the login form's password value, and the hash originally stored from the original password set.
Hashing is more sensible for password protection than encryption...
Posted: Thu Apr 20, 2006 9:31 am
by Roja
hessodreamy wrote:oh, now I AM confused. Why would you recommend against encrypting the passwords? Not secure enough?
As Maugrim points out, encryption is two-way. Hashing is one-way. If you capture my hash, you cannot recover my password. If you capture my encrypted password, you can (given sufficient time) recover my password.
Posted: Thu Apr 20, 2006 9:33 am
by hessodreamy
absolutely. I'm with you now. I'd best go read up on hashing and encrypting anyway. Cheers