On Tue, 2003-02-11 at 15:39, Curtis Maurand wrote:
> 
> The manual suggests that the password function is really for intenal mysql 
> functions.  Ideally you should use the encode or md5_encode functions.
> 
> update user set password=encode('password', 'salt') where user = 
> 'your_user';
> 

Unless manual does not say, what method is used for encode(), I would
prefer MD5() which is known to be good enough.

I remember something about "encode" from source code. If I remember
properly it was "home-made" algorithm and home-made algorithms are
always known to be "keep-away" algorithms.=20

If you need security, always hire expert to analyze your needs and
suggest exact ways to improve it. Even smaller mistake can void all
efforts to secure something. Most security problems I have seen are
results of doing security without knowing about topic. Often they lead
to headlines as it was in CNN few months ago: "hackers stoled credit
reports of 15000 people".

Use MD5() or SHA1() for one-way hashing where result never needs to be
decrypted (usually passwords)
Use DES_ENCRYPT() for encrypting data if you want to decrypt it at some
point. 
Surely do not use PASSWORD() anywhere.

     Tõnu


sql


---------------------------------------------------------------------
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/           (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Reply via email to