Storing passwords in MD5 or another hash is an excellent idea because it is
generally not possible to decrypt them (if the user uses a bad password they
can be brute forced but you can only do so much).  By storing passwords in
MD5 you protect your users passwords, if your database gets cracked their
passwords are still relatively secure.

You generally should not use a reversible encryption technique to store
something like user passwords, the reason being that in order to decrypt the
passwords you must store the encryption key in your code, when someone gets
access to your code (which they will or at least you must assume they will)
all they have to do is look in your code for your encryption key, after that
decrypting your user's passwords is trivial.  The worst thing is most users
use the same password for almost everything that means that many of their
other accounts are now compromised and they may not even know it.  It can be
argued the user should use a more secure password and not use the same one
in many places however the user is a being of convenience and is unlikely to
remember more than one password anyway :)

In short this has been covered probably thousands of times on this list but
I did not want a newer user to make the mistake of using an insecure method
of storing passwords, either putting them in the DB in plain text or using a
reversible encryption technique that is equally insecure because of the

Jason Sheets, CCNA, MCSE

-----Original Message-----
From: Scott Fletcher [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, October 09, 2002 2:24 PM
Subject: Re: [PHP] Encrypting passwords in a flat file before import

I was comparing it to what I was thinking about.  Like if the field in the
table (database) have a username and password.  Then you encrypt it with
features like this, then how can it be de-crypt if I had like a thousand
users account. It was just a thought in my mind.

Now based on your responses and feedback.  It seem that the md5() is such a
bad idea and instead, using mcrypt function would help.

"Marco Tabini" <[EMAIL PROTECTED]> wrote in message
> I think that generally you do not want passwords to be decryptable. What
> I normally do is try to encrypt whatever the user enters as a password
> and compare the resulting encrypted string with what's in the database
> to make sure they correspond. If the encrypting function is univocal
> (and md5 is) then the correct password will always return the same
> encrypted string.
>  On Wed, 2002-10-09 at 16:06, Scott Fletcher wrote:
> > Can it be de-encrypt???  I don't see how since you just use the function
> > md5().
> >
> > "Marek Kilimajer" <[EMAIL PROTECTED]> wrote in message
> > > If you don't need the file to be changed to contain md5 encrypted
> > > passwords use *fgetcsv() *to read the contenta,
> > > then use *md5()* on the password and insert it into database using
> > > mysql_query. No need to write a new file.
> > >
> > > Verdon Vaillancourt wrote:
> > >
> > > >Hi,
> > > >
> > > >I hope this question isn't too basic...
> > > >
> > > >I have a flat file (CSV) that I want to import into a mySQL db via
> > > >phpMyAdmin. The file has about 1200 rows and is in a format like:
> > > >"value","value","password","value","value","etc"
> > > >The passwords are in clear text. I need them to be encrypted in md5.
> > > >
> > > >Is there any advice out there as to how I could process this
> > > >before I import into my db or after the fact?
> > > >
> > > >Thanks, verdon
> > > >Ps. Please cc me if replying to list as I am on digest mode
> > > >
> > > >
> > > >
> > > >
> > >
> >
> >
> >
> > --
> > PHP General Mailing List (
> > To unsubscribe, visit:
> >

PHP General Mailing List (
To unsubscribe, visit:

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to