As an addition to this, I would suggest that you 'SALT' the value before
hashing it. There are already tables out there that contain a reverse
look-ups of comman hash values (like names, states, dictionary words). A
SALT is a random set of characters (use the same one for each value to be
MD5'd or you'll never be able to match it back) that alters the hash value
of the base password the users provide. You can prepend and append the hash
values to the value to be MD5'd to make it more secure.
Bastien
From: Micah Stevens <micah@xxxxxxxxxxxxxxxxxx>
To: php-db@xxxxxxxxxxxxx
Subject: Re: Encrypting DB content
Date: Fri, 30 Dec 2005 22:12:38 -0800
You can store an MD5, or SHA hash of the password, and then compare.. This
is
not an encrypted version of the password, rather a calculated hash of it.
You
can't (well, not without a bit of effort) decrypt this back into the
password.
The idea is when you store the password, you create the hash. Store the
hash
in the database. When the user logs in, take their password entry, generate
a
hash in the same way, and compare the two values.
SHA2 is the most secure method to use of these two, I'd use that.
The advantage is, the hash could be freely accessable to anyone, and it
doesn't cause a security issue, where as all a hacker needs is the key to
an
encrypted database of passwords to reveal them all.
That's the route I take anyhow.. This will likely start a huge conversation
about how to secure your system up super tight, but remember the most
secure
server is one that isn't turned on. :) A realistic solution is somewhere
in-between this and no security at all.
-Micah
On Friday 30 December 2005 8:15 pm, Chris Payne wrote:
> Hi there everyone,
>
>
>
> I am about to launch the website for my complex where the homeowners can
> login and check their billing status etc .. what is the best way, with
PHP
> and MySQL, to store an ENCRYPTED password into the database so that if
> someone got into the DB they couldn't read the password but if they
enter
> it into the form on the site it still works?
>
>
>
> I'm not sure on the best way to do this and any help would be really
> appreciated.
>
>
>
> Happy New Year everyone.
>
>
>
> Chris
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
