For what it's worth I completely agree with John. Virtually every website I visit on a regular basis has a login/passwd criteria so I also end up re-using a lot of my passwds. I'd feel a lot more secure knowing that some rogue sys admin isn't able to just dig it out of their system and start trying it on other websites! -gavin. | -----Original Message----- | From: John W. Holmes [mailto:holmes072000@charter.net] | Sent: Monday, 21 April 2003 9:08 PM | To: 'pj'; php-db@lists.php.net | Subject: RE: Password Encryption Issues | | | Hey, to each his own. Use the method you think is the most | secure. There's always a trade off between security and convenience. | | ---John W. Holmes... | | PHP Architect - A monthly magazine for PHP Professionals. Get | your copy today. http://www.phparch.com/ | | > -----Original Message----- | > From: pj [mailto:pj@bmtc-bg.com] | > Sent: Monday, April 21, 2003 7:01 AM | > To: php-db@lists.php.net | > Subject: Re: Password Encryption Issues | > | > What kind of Admin is that, if he/she will trick atround | with User's | > passwords? At least, such a person has to be FIRED and never stay | > close at | servers at | > all. | > Yes, you are right. But there is always more than one way to solve a | task. | > I have desided to do so, on order to give users more | flexibility. What | > if I want to reset my old password? Is it easier to enter the | site | > and | > to change it or to click forg. pwd, then to wait till the link comes | and | > after that to click again and so on.... | > If it all happens on a Dial-Up conneciton with 28.8 K | Modem, on pulse | > line, try to imagine what the users is mumbling...! | > | > Plamen Jelezov. | > "Cpt John W. Holmes" <holmes072000@charter.net> wrote in message | > 00da01c305a9$94bde270$a629089b@TBHHCCDR">news:00da01c305a9$94bde270$a629089b@TBHHCCDR... | > > Just my opinion, but passwords shouldn't be stored in a | method that | can | > be | > > decoded. I don't know about you, but I can't remember a different | > password | > > for every site that I use, so sometimes I repeat them. I | don't want | you | > or | > > some rogue admin decoding my password and trying it at various | sites. | > > | > > Just implement a method to reset the password and leave | it be. Don't | > send | > > the password over email, either. Send a link with a code that | expires in | > say | > > 30 minutes or so that will enable the user to reset the | password or | use | > a | > > pass phrase/question or something... | > > | > > ---John Holmes... | > > | > > ----- Original Message ----- | > > From: "Plamen Jelezov" <pj@bmtc-bg.com> | > > To: <php-db@lists.php.net> | > > Sent: Friday, April 18, 2003 5:15 AM | > > Subject: Re: Password Encryption Issues | > > | > > | > > > Hi, | > > > By my oppinion the problem will be solved, if you don't use | password() | > > > finction at all. Just have in your mind that it is a | one-way hash | and | > it | > > > can not decrypt passwords. Try to use encode() and decode() | functions | > > > instead with a salt key by your choice. | > > > Of course if you insist on using password() function | you will have | to | > > > make a script to reset the password and to send the new | one to the | > > > user's email. Depends on you. | > > > | > > > For example, suppose you have a form field $pwd in your | insert or | > update | > > > pages. Then you need to insert it's value into a DB (here I | presume | > > > MySQL). So you have the job done like this: | > > > | > > > $select = "..MySQL specific words .... encode($pwd, '.g') "; | > > > $query = ..... so on | > > > | > > > where '.g' is the salt key and the password from 'test' | will look | like | > > > 'ddIIjdmnm9' in the DB. | > > > | > > > Supose you have to take it back and return into human readable | > > > characters in order to give the User a chanse to change | it. So you | > write | > > > the following: | > > > | > > > $select = "..MySQL specific words .... decode(pwd_field_Name, | '.g') | > "; | > > > $select .= "where User_ID = 'whatsoever'"; | > > > $query = ..... | > > > so on | > > > | > > > where '.g' is the same salt key and 'pwd_field_Name' is that | column | > that | > > > contains your encoded passwords. | > > > | > > > That's it. | > > > Hope this help. | > > > pj | > > > | > > > Erwin Kerk wrote: | > > > > Probably the password() function relies on some | server-specific | > data.... | > > > > | > > > > Erwin Kerk | > > > > Web Developer | > > > > | > > > > Lindsey Gregory wrote: | > > > > | > > > >> Hello all, | > > > >> | > > > >> This is kinda hard to explain, but I am having a problem with | pass | > > > >> encryption/decryption stuff. I had a section of my website | > protected | > by | > > a | > > > >> cookie-based log in that authenticates from a | database (mySQL) | of | > > > >> user/pass | > > > >> combinations... anyway, I am moving that website from one | server | > to | > > > >> another... The username and password are exactly the same in | the | > new | > > > >> DB as | > > > >> it was in the old one... and of course, I have them | encrypted... | > but | > > it | > > > >> wont authenticate because the sql query is spitting out a | different | > > > >> encrypted pass from the login form so when I do the following | > query: | > > > >> SELECT | > > > >> id FROM table WHERE ((username = '$username') AND (password = | > > > >> PASSWORD('$password')) the encrypted password there is | different | > than | > > the | > > > >> enctypted pass in the DB. | > > > >> Any help with this would be appreciated! thanks! -lindsey | > > > | > > > | > > > -- | > > > PHP Database Mailing List (http://www.php.net/) | > > > To unsubscribe, visit: http://www.php.net/unsub.php | > > > | > > | > | > | > | > -- | > PHP Database Mailing List (http://www.php.net/) | > To unsubscribe, visit: http://www.php.net/unsub.php | | | | | -- | PHP Database Mailing List (http://www.php.net/) | To unsubscribe, visit: http://www.php.net/unsub.php | -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
