Just my opinion, but passwords shouldn't be stored in a method that can be
decoded. I don't know about you, but I can't remember a different password
for every site that I use, so sometimes I repeat them. I don't want you or
some rogue admin decoding my password and trying it at various sites.
Just implement a method to reset the password and leave it be. Don't send
the password over email, either. Send a link with a code that expires in say
30 minutes or so that will enable the user to reset the password or use a
pass phrase/question or something...
---John Holmes...
----- Original Message -----
From: "Plamen Jelezov" <pj@bmtc-bg.com>
To: <php-db@lists.php.net>
Sent: Friday, April 18, 2003 5:15 AM
Subject: Re: Password Encryption Issues
> Hi,
> By my oppinion the problem will be solved, if you don't use password()
> finction at all. Just have in your mind that it is a one-way hash and it
> can not decrypt passwords. Try to use encode() and decode() functions
> instead with a salt key by your choice.
> Of course if you insist on using password() function you will have to
> make a script to reset the password and to send the new one to the
> user's email. Depends on you.
>
> For example, suppose you have a form field $pwd in your insert or update
> pages. Then you need to insert it's value into a DB (here I presume
> MySQL). So you have the job done like this:
>
> $select = "..MySQL specific words .... encode($pwd, '.g') ";
> $query = .....
> so on
>
> where '.g' is the salt key and the password from 'test' will look like
> 'ddIIjdmnm9' in the DB.
>
> Supose you have to take it back and return into human readable
> characters in order to give the User a chanse to change it. So you write
> the following:
>
> $select = "..MySQL specific words .... decode(pwd_field_Name, '.g') ";
> $select .= "where User_ID = 'whatsoever'";
> $query = .....
> so on
>
> where '.g' is the same salt key and 'pwd_field_Name' is that column that
> contains your encoded passwords.
>
> That's it.
> Hope this help.
> pj
>
> Erwin Kerk wrote:
> > Probably the password() function relies on some server-specific data....
> >
> > Erwin Kerk
> > Web Developer
> >
> > Lindsey Gregory wrote:
> >
> >> Hello all,
> >>
> >> This is kinda hard to explain, but I am having a problem with pass
> >> encryption/decryption stuff. I had a section of my website protected by
a
> >> cookie-based log in that authenticates from a database (mySQL) of
> >> user/pass
> >> combinations... anyway, I am moving that website from one server to
> >> another... The username and password are exactly the same in the new
> >> DB as
> >> it was in the old one... and of course, I have them encrypted... but
it
> >> wont authenticate because the sql query is spitting out a different
> >> encrypted pass from the login form so when I do the following query:
> >> SELECT
> >> id FROM table WHERE ((username = '$username') AND (password =
> >> PASSWORD('$password')) the encrypted password there is different than
the
> >> enctypted pass in the DB.
> >> Any help with this would be appreciated! thanks!
> >> -lindsey
>
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
