On 8/18/07, C K <[EMAIL PROTECTED]> wrote: > Friends, > I have one question - How to store passwords in MySQL database table in a > secure way so that no one can see the password(understand the password > string)?
It is considered bad security practice to store passwords using reversible encryption. The issue is that users tend to choose the same passwords across different computing systems, as well as personal e-mail and banking accounts. The most common method is to keep a string, known only to the server, that is used to help generate the MD5 or SHA1 hash actually stored. The stored value is then generated using something like: MD5(CONCAT(server_string, user_password, server_string)) In order to be able to mount some kind of an attack other than brute force, an attacker would need to also have the server_string. The disadvantage of using only the user password for the MD5 is that it lends itself to a dictionary attack. So, a bit of randomness thrown in is helpful. http://en.wikipedia.org/wiki/Dictionary_attack As another poster pointed out, the probability of two different passwords having the same hash is remote. Using the SHA1 (160 bits) as an example, and assuming about 64 different characters (6 bits) available for passwords, the SHA1 is about 26 characters of information. Remote. Dave.
