Hi guys, Sorry for repeating myself, but as I said "Yes, you are right"! I use the method I supposed, because the User's data on the servers I administer is as secure as in a vault. I don't need to know what they write in their profiles. It's their place to store data, so it's a private property! If others speculate with users' data is it my fault I don't? And one more thing, all transactions between client and the server are transfered through SSL. We've tried to hack a session with sniffers, and they just got nothing. So I thing it's secure enough. The only problem I see is, if user writes down his pwd an a piece of paper in order not to forget it! :) pj. "Gavin Nouwens" <gnouwens@zip.com.au> wrote in message 001001c307f6$c47d4880$0b00a8c0@heck">news:001001c307f6$c47d4880$0b00a8c0@heck... > For what it's worth I completely agree with John. > > Virtually every website I visit on a regular basis has a login/passwd > criteria so I also end up re-using a lot of my passwds. > > I'd feel a lot more secure knowing that some rogue sys admin isn't able > to just dig it out of their system and start trying it on other > websites! > > -gavin. > > | -----Original Message----- > | From: John W. Holmes [mailto:holmes072000@charter.net] > | Sent: Monday, 21 April 2003 9:08 PM > | To: 'pj'; php-db@lists.php.net > | Subject: RE: Password Encryption Issues > | > | > | Hey, to each his own. Use the method you think is the most > | secure. There's always a trade off between security and convenience. > | > | ---John W. Holmes... > | > | PHP Architect - A monthly magazine for PHP Professionals. Get > | your copy today. http://www.phparch.com/ > | > | > -----Original Message----- > | > From: pj [mailto:pj@bmtc-bg.com] > | > Sent: Monday, April 21, 2003 7:01 AM > | > To: php-db@lists.php.net > | > Subject: Re: Password Encryption Issues > | > > | > What kind of Admin is that, if he/she will trick atround > | with User's > | > passwords? At least, such a person has to be FIRED and never stay > | > close at > | servers at > | > all. > | > Yes, you are right. But there is always more than one way to solve a > | task. > | > I have desided to do so, on order to give users more > | flexibility. What > | > if I want to reset my old password? Is it easier to enter the > | site > | > and > | > to change it or to click forg. pwd, then to wait till the link comes > | and > | > after that to click again and so on.... > | > If it all happens on a Dial-Up conneciton with 28.8 K > | Modem, on pulse > | > line, try to imagine what the users is mumbling...! > | > > | > Plamen Jelezov. > | > "Cpt John W. Holmes" <holmes072000@charter.net> wrote in message > | > 00da01c305a9$94bde270$a629089b@TBHHCCDR">news:00da01c305a9$94bde270$a629089b@TBHHCCDR... > | > > Just my opinion, but passwords shouldn't be stored in a > | method that > | can > | > be > | > > decoded. I don't know about you, but I can't remember a different > | > password > | > > for every site that I use, so sometimes I repeat them. I > | don't want > | you > | > or > | > > some rogue admin decoding my password and trying it at various > | sites. > | > > > | > > Just implement a method to reset the password and leave > | it be. Don't > | > send > | > > the password over email, either. Send a link with a code that > | expires in > | > say > | > > 30 minutes or so that will enable the user to reset the > | password or > | use > | > a > | > > pass phrase/question or something... > | > > > | > > ---John Holmes... > | > > > | > > ----- Original Message ----- > | > > From: "Plamen Jelezov" <pj@bmtc-bg.com> > | > > To: <php-db@lists.php.net> > | > > Sent: Friday, April 18, 2003 5:15 AM > | > > Subject: Re: Password Encryption Issues > | > > > | > > > | > > > Hi, > | > > > By my oppinion the problem will be solved, if you don't use > | password() > | > > > finction at all. Just have in your mind that it is a > | one-way hash > | and > | > it > | > > > can not decrypt passwords. Try to use encode() and decode() > | functions > | > > > instead with a salt key by your choice. > | > > > Of course if you insist on using password() function > | you will have > | to > | > > > make a script to reset the password and to send the new > | one to the > | > > > user's email. Depends on you. > | > > > > | > > > For example, suppose you have a form field $pwd in your > | insert or > | > update > | > > > pages. Then you need to insert it's value into a DB (here I > | presume > | > > > MySQL). So you have the job done like this: > | > > > > | > > > $select = "..MySQL specific words .... encode($pwd, '.g') "; > | > > > $query = ..... so on > | > > > > | > > > where '.g' is the salt key and the password from 'test' > | will look > | like > | > > > 'ddIIjdmnm9' in the DB. > | > > > > | > > > Supose you have to take it back and return into human readable > | > > > characters in order to give the User a chanse to change > | it. So you > | > write > | > > > the following: > | > > > > | > > > $select = "..MySQL specific words .... decode(pwd_field_Name, > | '.g') > | > "; > | > > > $select .= "where User_ID = 'whatsoever'"; > | > > > $query = ..... > | > > > so on > | > > > > | > > > where '.g' is the same salt key and 'pwd_field_Name' is that > | column > | > that > | > > > contains your encoded passwords. > | > > > > | > > > That's it. > | > > > Hope this help. > | > > > pj > | > > > > | > > > Erwin Kerk wrote: > | > > > > Probably the password() function relies on some > | server-specific > | > data.... > | > > > > > | > > > > Erwin Kerk > | > > > > Web Developer > | > > > > > | > > > > Lindsey Gregory wrote: > | > > > > > | > > > >> Hello all, > | > > > >> > | > > > >> This is kinda hard to explain, but I am having a problem with > | pass > | > > > >> encryption/decryption stuff. I had a section of my website > | > protected > | > by > | > > a > | > > > >> cookie-based log in that authenticates from a > | database (mySQL) > | of > | > > > >> user/pass > | > > > >> combinations... anyway, I am moving that website from one > | server > | > to > | > > > >> another... The username and password are exactly the same in > | the > | > new > | > > > >> DB as > | > > > >> it was in the old one... and of course, I have them > | encrypted... > | > but > | > > it > | > > > >> wont authenticate because the sql query is spitting out a > | different > | > > > >> encrypted pass from the login form so when I do the following > | > query: > | > > > >> SELECT > | > > > >> id FROM table WHERE ((username = '$username') AND (password = > | > > > >> PASSWORD('$password')) the encrypted password there is > | different > | > than > | > > the > | > > > >> enctypted pass in the DB. > | > > > >> Any help with this would be appreciated! thanks! -lindsey > | > > > > | > > > > | > > > -- > | > > > PHP Database Mailing List (http://www.php.net/) > | > > > To unsubscribe, visit: http://www.php.net/unsub.php > | > > > > | > > > | > > | > > | > > | > -- > | > PHP Database Mailing List (http://www.php.net/) > | > To unsubscribe, visit: http://www.php.net/unsub.php > | > | > | > | > | -- > | PHP Database Mailing List (http://www.php.net/) > | To unsubscribe, visit: http://www.php.net/unsub.php > | > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
