On Monday 15 March 2004 17:24, Ng Hwee Hwee wrote:

Use md5.

> I can't use md5 because i want to retrieve it and send emails to my users
> if they forgot their password..

If they forget their password shoot them. Or depending on how secure your 
application needs to be:

 - generate a new password, send it to the user and ask them to login using 
new password then change it

 - send them an email containing a token (you need to generate a token and 
insert into database), give them a page where they can enter that token and 
allow them to change password.

Refer to the archives for details and maybe other methods for dealing with 
lost passwords.

> md5 is only a one way encryption,

It is not an encryption, it's a one-way hash.

> thus i have to resort to using
> encode('$password', '$salt') where $salt is a value that i have assigned..
> because I know the value of $salt, I would be able to decode the password
> easily by looking at my database and running decode.

If your database and webserver are both located on the same server then 
encoding (or encrypting) anything is largely a waste of effort.

If a hostile user ever gets access to your database they would (most likely) 
will have access to your decryption key as well - in this case your salt. 
Encryption is only useful where the data and the means of decrypting it are 
stored in separate locations and compromise of one does not neccessarily lead 
to the compromise of the other.

> with blob, i can't see the encoded password easily and thus there is
> 'maximum security'. haha.. but i'm still open to any form of suggestions!

So pretending that you cannot 'see' the password increases the security!?! 
Like the myth about ostriches burying their heads in the sand to 'hide' from 
their enemies?

If you don't want to accidently see people's passwords why not just rot13 it 
(apparently some companies seems to think that is a secure enough form of 

Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
Search the list archives before you post
Steckel's Rule to Success:
        Good enough is never good enough.

PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to