How to encrypt pw in mysql

Discussion in 'PHP' started by slaydragon, Jun 9, 2008.

0
  1. #1
    Hi,

    I am creating a register page for my website. I am wondering, how do i encrypt the password in mysql so that the pw in the tables will look like, "9859cefff19959d57aadc17187e"

    One more question, is encrypted pw good? why people encrypt pw in sql?

    Appreciated.
     
    slaydragon, Jun 9, 2008 IP
  2. jestep

    jestep Prominent Member

    Messages:
    3,659
    Likes Received:
    215
    Best Answers:
    19
    Trophy Points:
    330
    #2
    You should hash passwords using md5 or sha1. This makes the password obfuscated in the database, and makes it nearly impossible for someone to recover. One thing to keep in mind is that md5 and sha will hash a string and it cannot be decrypted once it is hashed. You can reset the password by hashing and inserting another string.

    How to do it:
    
$password = 'MyPass09876743';
$enc_pass = md5($password); // = f7e292389ad58ad8e2b959cb5776bf40
    PHP:
    Also, make sure you hash any user entered password before checking it against the database entry.
     
    jestep, Jun 9, 2008 IP
    slaydragon likes this.
  3. slaydragon

    slaydragon Banned

    Messages:
    1,403
    Likes Received:
    24
    Best Answers:
    0
    Trophy Points:
    0
    #3
    hi, pardan me, what is the meaning of "obfuscated"? is encrpyting the pw a best practice? Should i encrpyt or not encrypt it? So how do i reset the pw of the user id i encrypt it? let say if someone forget his password?
     
    slaydragon, Jun 9, 2008 IP
  4. jayshah

    jayshah Peon

    Messages:
    1,126
    Likes Received:
    68
    Best Answers:
    1
    Trophy Points:
    0
    #4
    You must give the user the opportunity to set a new passwords. You cannot recover a password from a one-way hash without using Rainbow tables or the likes.
     
    jayshah, Jun 9, 2008 IP
  5. jestep

    jestep Prominent Member

    Messages:
    3,659
    Likes Received:
    215
    Best Answers:
    19
    Trophy Points:
    330
    #5
    To reset a password, you basically delete the current one, and hash and insert the new one.

    As far as security is concerned, Generally it's best to encrypt passwords for your user's piece of mind. It's slightly more secure and costs a neglegible amount of server resources.

    In reality encrypting passwords does very little as far as real security is concerned. If someone has root or admin access to a database, then they can see and reset passwords, and any other data as needed. It by no means makes a database secure.

    Personally, I always use 1 way hashed because it prevents administrators from knowing other user's passwords, therefore controlling access. This is especially important when you get a large database with many people using and administering it. It helps to control access and makes reporting and auditing accurate to who is doing what on the database.
     
    jestep, Jun 9, 2008 IP