Yes, Great suggestion. This is the way the UNIX passwd function works, and you'll notice no one has hacked that recently as opposed to the windows password function. hehe.. -Micah On Saturday 31 December 2005 8:39 am, Bastien Koert wrote: > As an addition to this, I would suggest that you 'SALT' the value before > hashing it. There are already tables out there that contain a reverse > look-ups of comman hash values (like names, states, dictionary words). A > SALT is a random set of characters (use the same one for each value to be > MD5'd or you'll never be able to match it back) that alters the hash value > of the base password the users provide. You can prepend and append the hash > values to the value to be MD5'd to make it more secure. > > Bastien > > >From: Micah Stevens <micah@xxxxxxxxxxxxxxxxxx> > >To: php-db@xxxxxxxxxxxxx > >Subject: Re: Encrypting DB content > >Date: Fri, 30 Dec 2005 22:12:38 -0800 > > > > > >You can store an MD5, or SHA hash of the password, and then compare.. This > >is > >not an encrypted version of the password, rather a calculated hash of it. > >You > >can't (well, not without a bit of effort) decrypt this back into the > >password. > > > >The idea is when you store the password, you create the hash. Store the > >hash > >in the database. When the user logs in, take their password entry, > > generate a > >hash in the same way, and compare the two values. > > > >SHA2 is the most secure method to use of these two, I'd use that. > > > >The advantage is, the hash could be freely accessable to anyone, and it > >doesn't cause a security issue, where as all a hacker needs is the key to > >an > >encrypted database of passwords to reveal them all. > > > >That's the route I take anyhow.. This will likely start a huge > > conversation about how to secure your system up super tight, but remember > > the most secure > >server is one that isn't turned on. :) A realistic solution is somewhere > >in-between this and no security at all. > > > >-Micah > > > >On Friday 30 December 2005 8:15 pm, Chris Payne wrote: > > > Hi there everyone, > > > > > > > > > > > > I am about to launch the website for my complex where the homeowners > > > can login and check their billing status etc .. what is the best way, > > > with > > > >PHP > > > > > and MySQL, to store an ENCRYPTED password into the database so that if > > > someone got into the DB they couldn't read the password but if they > > > >enter > > > > > it into the form on the site it still works? > > > > > > > > > > > > I'm not sure on the best way to do this and any help would be really > > > appreciated. > > > > > > > > > > > > Happy New Year everyone. > > > > > > > > > > > > Chris > > > >-- > >PHP Database Mailing List (http://www.php.net/) > >To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
