Hey, to each his own. Use the method you think is the most secure. There's always a trade off between security and convenience. ---John W. Holmes... PHP Architect - A monthly magazine for PHP Professionals. Get your copy today. http://www.phparch.com/ > -----Original Message----- > From: pj [mailto:pj@bmtc-bg.com] > Sent: Monday, April 21, 2003 7:01 AM > To: php-db@lists.php.net > Subject: Re: Password Encryption Issues > > What kind of Admin is that, if he/she will trick atround with User's > passwords? > At least, such a person has to be FIRED and never stay close at servers at > all. > Yes, you are right. But there is always more than one way to solve a task. > I have desided to do so, on order to give users more flexibility. > What if I want to reset my old password? Is it easier to enter the site > and > to change it or to click forg. pwd, then to wait till the link comes and > after that to click again and so on.... > If it all happens on a Dial-Up conneciton with 28.8 K Modem, on pulse > line, > try to imagine what the users is mumbling...! > > Plamen Jelezov. > "Cpt John W. Holmes" <holmes072000@charter.net> wrote in message > 00da01c305a9$94bde270$a629089b@TBHHCCDR">news:00da01c305a9$94bde270$a629089b@TBHHCCDR... > > Just my opinion, but passwords shouldn't be stored in a method that can > be > > decoded. I don't know about you, but I can't remember a different > password > > for every site that I use, so sometimes I repeat them. I don't want you > or > > some rogue admin decoding my password and trying it at various sites. > > > > Just implement a method to reset the password and leave it be. Don't > send > > the password over email, either. Send a link with a code that expires in > say > > 30 minutes or so that will enable the user to reset the password or use > a > > pass phrase/question or something... > > > > ---John Holmes... > > > > ----- Original Message ----- > > From: "Plamen Jelezov" <pj@bmtc-bg.com> > > To: <php-db@lists.php.net> > > Sent: Friday, April 18, 2003 5:15 AM > > Subject: Re: Password Encryption Issues > > > > > > > Hi, > > > By my oppinion the problem will be solved, if you don't use password() > > > finction at all. Just have in your mind that it is a one-way hash and > it > > > can not decrypt passwords. Try to use encode() and decode() functions > > > instead with a salt key by your choice. > > > Of course if you insist on using password() function you will have to > > > make a script to reset the password and to send the new one to the > > > user's email. Depends on you. > > > > > > For example, suppose you have a form field $pwd in your insert or > update > > > pages. Then you need to insert it's value into a DB (here I presume > > > MySQL). So you have the job done like this: > > > > > > $select = "..MySQL specific words .... encode($pwd, '.g') "; > > > $query = ..... > > > so on > > > > > > where '.g' is the salt key and the password from 'test' will look like > > > 'ddIIjdmnm9' in the DB. > > > > > > Supose you have to take it back and return into human readable > > > characters in order to give the User a chanse to change it. So you > write > > > the following: > > > > > > $select = "..MySQL specific words .... decode(pwd_field_Name, '.g') > "; > > > $select .= "where User_ID = 'whatsoever'"; > > > $query = ..... > > > so on > > > > > > where '.g' is the same salt key and 'pwd_field_Name' is that column > that > > > contains your encoded passwords. > > > > > > That's it. > > > Hope this help. > > > pj > > > > > > Erwin Kerk wrote: > > > > Probably the password() function relies on some server-specific > data.... > > > > > > > > Erwin Kerk > > > > Web Developer > > > > > > > > Lindsey Gregory wrote: > > > > > > > >> Hello all, > > > >> > > > >> This is kinda hard to explain, but I am having a problem with pass > > > >> encryption/decryption stuff. I had a section of my website > protected > by > > a > > > >> cookie-based log in that authenticates from a database (mySQL) of > > > >> user/pass > > > >> combinations... anyway, I am moving that website from one server > to > > > >> another... The username and password are exactly the same in the > new > > > >> DB as > > > >> it was in the old one... and of course, I have them encrypted... > but > > it > > > >> wont authenticate because the sql query is spitting out a different > > > >> encrypted pass from the login form so when I do the following > query: > > > >> SELECT > > > >> id FROM table WHERE ((username = '$username') AND (password = > > > >> PASSWORD('$password')) the encrypted password there is different > than > > the > > > >> enctypted pass in the DB. > > > >> Any help with this would be appreciated! thanks! > > > >> -lindsey > > > > > > > > > -- > > > PHP Database Mailing List (http://www.php.net/) > > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
