I see. Good point. Forgive me with my noob approach.I am creating my first database and I guess I was just thinking of how to get everything to work first then though "well I can't have the passwords be visible".
I would probably have eventually came to the same conclusion, so you all may have saved me a load of unnecessary work. But thank you for the tips on string conversion. Every little bit helps. Karl On Dec 22, 2009, at 4:58 PM, lists-php wrote:
correct. if they can't see the encrypted value it's harder to try to decrypt it but ... there's no reason for the encrypted value to be in "public view" in the first place. when a user enters their password you pass that to your back-end where you encrypt it and test it against the one-way hash that's stored in your db. if it matches, fine, if not you reprompt/reject. but throughout, the stored hash never sees the light of day and the hash of what the user enters is only in the back-end. there's no reason for any version of a password (user-entered string, hash of user-entered string, hash of stored pw) to be on any page that a user can view (rendered or source). that being the case, there's no need to be playing obfuscation games. if you have a "preview page" and you don't want the user to see any version of the pw there, then don't put it there. if you convert it to some form of blanking, then there's nothing for them to preview anyway, so don't waste the effort. - Rick ------------ Original Message ------------Date: Tuesday, December 22, 2009 04:40:22 PM -0600 From: Karl DeSaulniers <karl@xxxxxxxxxxxxxxx> Subject: Re: Displaying Password Hi Rick, Yes you are correct. I do not store a plan text password. The conversion code is so they cant read the encryption either. If you cant read the encrypted text, you cant decrypt it right? Thanks for your response. Karl On Dec 22, 2009, at 10:54 AM, lists-mysql wrote:This shouldn't be an issue as you should *never* be storing a user's password in plaintext in the first place. When a password is first set, encrypt it. If a user needs a new password, send a password recovery url to the email address on file (or some other like-minded approach). - Rick ------------ Original Message ------------Date: Monday, December 21, 2009 11:12:48 PM -0600 From: Karl DeSaulniers <karl@xxxxxxxxxxxxxxx> To: php-db@xxxxxxxxxxxxx Subject: Displaying Password Never mind. Got it. $replaceArray = array('a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '1', '2', '3', '4', '5', '6', '7', '8', '9', '0'); $replaceWith = array('•','•','•','•','•','•','•','•','•','• ', '•','•','•','•','•','•','•','•','•','•','• ', '•','•','•','•','•','•','•','•','•','•','• ', '•','•','•','•'); $UserPassword = str_replace($replaceArray, $replaceWith, $UserPassword); //hide pasword Best, Karl DeSaulniers Design Drumm http://designdrumm.com------------ End Original Message ------------Karl DeSaulniers Design Drumm http://designdrumm.com------------ End Original Message ------------
Karl DeSaulniers Design Drumm http://designdrumm.com
