As an addition to this, I would suggest that you 'SALT' the value before hashing it. There are already tables out there that contain a reverse look-ups of comman hash values (like names, states, dictionary words). A SALT is a random set of characters (use the same one for each value to be MD5'd or you'll never be able to match it back) that alters the hash value of the base password the users provide. You can prepend and append the hash values to the value to be MD5'd to make it more secure.

Bastien


From: Micah Stevens <[EMAIL PROTECTED]>
To: php-db@lists.php.net
Subject: Re: [PHP-DB] Encrypting DB content
Date: Fri, 30 Dec 2005 22:12:38 -0800


You can store an MD5, or SHA hash of the password, and then compare.. This is not an encrypted version of the password, rather a calculated hash of it. You
can't (well, not without a bit of effort) decrypt this back into the
password.

The idea is when you store the password, you create the hash. Store the hash in the database. When the user logs in, take their password entry, generate a
hash in the same way, and compare the two values.

SHA2 is the most secure method to use of these two, I'd use that.

The advantage is, the hash could be freely accessable to anyone, and it
doesn't cause a security issue, where as all a hacker needs is the key to an
encrypted database of passwords to reveal them all.

That's the route I take anyhow.. This will likely start a huge conversation
about how to secure your system up super tight, but remember the most secure
server is one that isn't turned on. :) A realistic solution is somewhere
in-between this and no security at all.

-Micah


On Friday 30 December 2005 8:15 pm, Chris Payne wrote:
> Hi there everyone,
>
>
>
> I am about to launch the website for my complex where the homeowners can
> login and check their billing status etc .. what is the best way, with PHP
> and MySQL, to store an ENCRYPTED password into the database so that if
> someone got into the DB they couldn't read the password but if they enter
> it into the form on the site it still works?
>
>
>
> I'm not sure on the best way to do this and any help would be really
> appreciated.
>
>
>
> Happy New Year everyone.
>
>
>
> Chris

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to