Hi there! Besides the ideological discussions, i would suggest not to save the password via mysql-password function. I suggest to reset your password-table and save all the new passwords with the MD5()-function (which is also availiable in mysql). md5 is a very powerfull standardized one-way-encription (a hashing-algorithm). I have also found a javascript on the net which can crypt the password localy before it is send to the server, if you're interested i'll send it.. Hope this helps? .ma pj <pj@bmtc-bg.com> wrote@21.04.2003 13:24 Uhr: > Hi guys, > > Sorry for repeating myself, but as I said "Yes, you are right"! > I use the method I supposed, because the User's data on the servers I > administer is as secure as in a vault. > I don't need to know what they write in their profiles. It's their place to > store data, so it's a private property! > If others speculate with users' data is it my fault I don't? And one more > thing, all transactions between client and the server are transfered through > SSL. We've tried to hack a session with sniffers, and they just got nothing. > So I thing it's secure enough. The only problem I see is, if user writes > down his pwd an a piece of paper in order not to forget it! :) > > pj. > "Gavin Nouwens" <gnouwens@zip.com.au> wrote in message > 001001c307f6$c47d4880$0b00a8c0@heck">news:001001c307f6$c47d4880$0b00a8c0@heck... >> For what it's worth I completely agree with John. >> >> Virtually every website I visit on a regular basis has a login/passwd >> criteria so I also end up re-using a lot of my passwds. >> >> I'd feel a lot more secure knowing that some rogue sys admin isn't able >> to just dig it out of their system and start trying it on other >> websites! >> >> -gavin. >> >> | -----Original Message----- >> | From: John W. Holmes [mailto:holmes072000@charter.net] >> | Sent: Monday, 21 April 2003 9:08 PM >> | To: 'pj'; php-db@lists.php.net >> | Subject: RE: Password Encryption Issues >> | >> | >> | Hey, to each his own. Use the method you think is the most >> | secure. There's always a trade off between security and convenience. >> | >> | ---John W. Holmes... >> | >> | PHP Architect - A monthly magazine for PHP Professionals. Get >> | your copy today. http://www.phparch.com/ >> | >> | > -----Original Message----- >> | > From: pj [mailto:pj@bmtc-bg.com] >> | > Sent: Monday, April 21, 2003 7:01 AM >> | > To: php-db@lists.php.net >> | > Subject: Re: Password Encryption Issues >> | > >> | > What kind of Admin is that, if he/she will trick atround >> | with User's >> | > passwords? At least, such a person has to be FIRED and never stay >> | > close at >> | servers at >> | > all. >> | > Yes, you are right. But there is always more than one way to solve a >> | task. >> | > I have desided to do so, on order to give users more >> | flexibility. What >> | > if I want to reset my old password? Is it easier to enter the >> | site >> | > and >> | > to change it or to click forg. pwd, then to wait till the link comes >> | and >> | > after that to click again and so on.... >> | > If it all happens on a Dial-Up conneciton with 28.8 K >> | Modem, on pulse >> | > line, try to imagine what the users is mumbling...! >> | > >> | > Plamen Jelezov. >> | > "Cpt John W. Holmes" <holmes072000@charter.net> wrote in message >> | > 00da01c305a9$94bde270$a629089b@TBHHCCDR">news:00da01c305a9$94bde270$a629089b@TBHHCCDR... >> | > > Just my opinion, but passwords shouldn't be stored in a >> | method that >> | can >> | > be >> | > > decoded. I don't know about you, but I can't remember a different >> | > password >> | > > for every site that I use, so sometimes I repeat them. I >> | don't want >> | you >> | > or >> | > > some rogue admin decoding my password and trying it at various >> | sites. >> | > > >> | > > Just implement a method to reset the password and leave >> | it be. Don't >> | > send >> | > > the password over email, either. Send a link with a code that >> | expires in >> | > say >> | > > 30 minutes or so that will enable the user to reset the >> | password or >> | use >> | > a >> | > > pass phrase/question or something... >> | > > >> | > > ---John Holmes... >> | > > >> | > > ----- Original Message ----- >> | > > From: "Plamen Jelezov" <pj@bmtc-bg.com> >> | > > To: <php-db@lists.php.net> >> | > > Sent: Friday, April 18, 2003 5:15 AM >> | > > Subject: Re: Password Encryption Issues >> | > > >> | > > >> | > > > Hi, >> | > > > By my oppinion the problem will be solved, if you don't use >> | password() >> | > > > finction at all. Just have in your mind that it is a >> | one-way hash >> | and >> | > it >> | > > > can not decrypt passwords. Try to use encode() and decode() >> | functions >> | > > > instead with a salt key by your choice. >> | > > > Of course if you insist on using password() function >> | you will have >> | to >> | > > > make a script to reset the password and to send the new >> | one to the >> | > > > user's email. Depends on you. >> | > > > >> | > > > For example, suppose you have a form field $pwd in your >> | insert or >> | > update >> | > > > pages. Then you need to insert it's value into a DB (here I >> | presume >> | > > > MySQL). So you have the job done like this: >> | > > > >> | > > > $select = "..MySQL specific words .... encode($pwd, '.g') "; >> | > > > $query = ..... so on >> | > > > >> | > > > where '.g' is the salt key and the password from 'test' >> | will look >> | like >> | > > > 'ddIIjdmnm9' in the DB. >> | > > > >> | > > > Supose you have to take it back and return into human readable >> | > > > characters in order to give the User a chanse to change >> | it. So you >> | > write >> | > > > the following: >> | > > > >> | > > > $select = "..MySQL specific words .... decode(pwd_field_Name, >> | '.g') >> | > "; >> | > > > $select .= "where User_ID = 'whatsoever'"; >> | > > > $query = ..... >> | > > > so on >> | > > > >> | > > > where '.g' is the same salt key and 'pwd_field_Name' is that >> | column >> | > that >> | > > > contains your encoded passwords. >> | > > > >> | > > > That's it. >> | > > > Hope this help. >> | > > > pj >> | > > > >> | > > > Erwin Kerk wrote: >> | > > > > Probably the password() function relies on some >> | server-specific >> | > data.... >> | > > > > >> | > > > > Erwin Kerk >> | > > > > Web Developer >> | > > > > >> | > > > > Lindsey Gregory wrote: >> | > > > > >> | > > > >> Hello all, >> | > > > >> >> | > > > >> This is kinda hard to explain, but I am having a problem with >> | pass >> | > > > >> encryption/decryption stuff. I had a section of my website >> | > protected >> | > by >> | > > a >> | > > > >> cookie-based log in that authenticates from a >> | database (mySQL) >> | of >> | > > > >> user/pass >> | > > > >> combinations... anyway, I am moving that website from one >> | server >> | > to >> | > > > >> another... The username and password are exactly the same in >> | the >> | > new >> | > > > >> DB as >> | > > > >> it was in the old one... and of course, I have them >> | encrypted... >> | > but >> | > > it >> | > > > >> wont authenticate because the sql query is spitting out a >> | different >> | > > > >> encrypted pass from the login form so when I do the following >> | > query: >> | > > > >> SELECT >> | > > > >> id FROM table WHERE ((username = '$username') AND (password = >> | > > > >> PASSWORD('$password')) the encrypted password there is >> | different >> | > than >> | > > the >> | > > > >> enctypted pass in the DB. >> | > > > >> Any help with this would be appreciated! thanks! -lindsey >> | > > > >> | > > > >> | > > > -- >> | > > > PHP Database Mailing List (http://www.php.net/) >> | > > > To unsubscribe, visit: http://www.php.net/unsub.php >> | > > > >> | > > >> | > >> | > >> | > >> | > -- >> | > PHP Database Mailing List (http://www.php.net/) >> | > To unsubscribe, visit: http://www.php.net/unsub.php >> | >> | >> | >> | >> | -- >> | PHP Database Mailing List (http://www.php.net/) >> | To unsubscribe, visit: http://www.php.net/unsub.php >> | >> > > Matthias Steinböck Email: grillen@abendstille.at Web: http://www.abendstille.at Frühabendliches Webdesign. ------------------------------------------ Im Übrigen sind wir der Meinung, dass Wir im Fall der Fälle auch ihre Zehennägel schneiden, denn der Kunde ist König. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
