Storing passwords in MD5 or another hash is an excellent idea because it is generally not possible to decrypt them (if the user uses a bad password they can be brute forced but you can only do so much). By storing passwords in MD5 you protect your users passwords, if your database gets cracked their passwords are still relatively secure.
You generally should not use a reversible encryption technique to store something like user passwords, the reason being that in order to decrypt the passwords you must store the encryption key in your code, when someone gets access to your code (which they will or at least you must assume they will) all they have to do is look in your code for your encryption key, after that decrypting your user's passwords is trivial. The worst thing is most users use the same password for almost everything that means that many of their other accounts are now compromised and they may not even know it. It can be argued the user should use a more secure password and not use the same one in many places however the user is a being of convenience and is unlikely to remember more than one password anyway :) In short this has been covered probably thousands of times on this list but I did not want a newer user to make the mistake of using an insecure method of storing passwords, either putting them in the DB in plain text or using a reversible encryption technique that is equally insecure because of the implementation. Jason Sheets, CCNA, MCSE -----Original Message----- From: Scott Fletcher [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 09, 2002 2:24 PM To: [EMAIL PROTECTED] Subject: Re: [PHP] Encrypting passwords in a flat file before import I was comparing it to what I was thinking about. Like if the field in the table (database) have a username and password. Then you encrypt it with features like this, then how can it be de-crypt if I had like a thousand users account. It was just a thought in my mind. Now based on your responses and feedback. It seem that the md5() is such a bad idea and instead, using mcrypt function would help. "Marco Tabini" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I think that generally you do not want passwords to be decryptable. What > I normally do is try to encrypt whatever the user enters as a password > and compare the resulting encrypted string with what's in the database > to make sure they correspond. If the encrypting function is univocal > (and md5 is) then the correct password will always return the same > encrypted string. > > On Wed, 2002-10-09 at 16:06, Scott Fletcher wrote: > > Can it be de-encrypt??? I don't see how since you just use the function > > md5(). > > > > "Marek Kilimajer" <[EMAIL PROTECTED]> wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > If you don't need the file to be changed to contain md5 encrypted > > > passwords use *fgetcsv() *to read the contenta, > > > then use *md5()* on the password and insert it into database using > > > mysql_query. No need to write a new file. > > > > > > Verdon Vaillancourt wrote: > > > > > > >Hi, > > > > > > > >I hope this question isn't too basic... > > > > > > > >I have a flat file (CSV) that I want to import into a mySQL db via > > > >phpMyAdmin. The file has about 1200 rows and is in a format like: > > > >"value","value","password","value","value","etc" > > > >The passwords are in clear text. I need them to be encrypted in md5. > > > > > > > >Is there any advice out there as to how I could process this flat-file > > > >before I import into my db or after the fact? > > > > > > > >Thanks, verdon > > > >Ps. Please cc me if replying to list as I am on digest mode > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
