Re: [PHP] encrypting passwords etc..
I would definitely have to agree. The way I do it is encrypt it one way and there is no way to recover the password.. at least anytime soon within the next year or so. If they forget their password I give them a temporary password and then they can go change it to whatever they want, if they want their old password.. well too bad since they obviously couldnt remember it anyways so it can't be that important *grin* But the password in the database is entirely encrypted and if someone did happen to get a hold of the database information they wouldnt get the users passwords. And that is what is important to me. Encrypting is a good thing in my opinion and should be done as much as possible.. just my two bits worth :) Rick Until you have learned to be tolerant with those who do not always agree with you; until you have cultivated the habit of saying some kind word of those whom you do not admire; until you have formed the habit of looking for the good instead of the bad there is in others, you will be neither successful nor happy. - Napolean Hill > From: J Smith <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > Date: Thu, 17 Jan 2002 17:20:11 -0500 > To: [EMAIL PROTECTED] > Subject: Re: [PHP] encrypting passwords etc.. > > > We have a similar set up at our work, but we still encrypt our users' > passwords. That way not even the dba knows what passwords other people use, > although the s/he can still change the password for any user on our site. A > lot of people use the same password for everything they do, and it would be > possible for the dba to get ahold of all of those passwords and usernames > from the database if they were in clear text, which could be bad. > > Of course, I'm the dba, and I wouldn't do that sort of thing, but I've > encrypted the passwords anyway with a one-way md5 hash. At least the users > can feel a bit more secure that their passwords are safe from prying eyes, > even from the dba. > > Makes it a bit of a hasstle when somebody asks for their forgotten password > -- I can't exactly decrypt the 128-bit hash any time soon, can I? I can set > their passwords to something else, of course, but sometimes they just want > their old password > > J > > > Anas Mughal wrote: > >> We had a client who wanted us to encrypt their >> passwords. Our argument was that maybe their database >> is not well protected. Only the dba and the >> application should have access to the database. >> No-one else should be able to view their data anyways. >> We didn't see any need to encrypt the passwords. >> >> Any thoughts... >> >> > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] encrypting passwords etc..
We have a similar set up at our work, but we still encrypt our users' passwords. That way not even the dba knows what passwords other people use, although the s/he can still change the password for any user on our site. A lot of people use the same password for everything they do, and it would be possible for the dba to get ahold of all of those passwords and usernames from the database if they were in clear text, which could be bad. Of course, I'm the dba, and I wouldn't do that sort of thing, but I've encrypted the passwords anyway with a one-way md5 hash. At least the users can feel a bit more secure that their passwords are safe from prying eyes, even from the dba. Makes it a bit of a hasstle when somebody asks for their forgotten password -- I can't exactly decrypt the 128-bit hash any time soon, can I? I can set their passwords to something else, of course, but sometimes they just want their old password J Anas Mughal wrote: > We had a client who wanted us to encrypt their > passwords. Our argument was that maybe their database > is not well protected. Only the dba and the > application should have access to the database. > No-one else should be able to view their data anyways. > We didn't see any need to encrypt the passwords. > > Any thoughts... > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] encrypting passwords etc..
"security is measured by the weakest link in the chain"
so I would say that the database needs to be well protected and
the password encrypted.
py
At 12:14 PM 1/17/2002 -0800, you wrote:
>We had a client who wanted us to encrypt their
>passwords. Our argument was that maybe their database
>is not well protected. Only the dba and the
>application should have access to the database.
>No-one else should be able to view their data anyways.
>We didn't see any need to encrypt the passwords.
>
>Any thoughts...
>
>
>
>--- Hawk <[EMAIL PROTECTED]> wrote:
> > Ok I got it working now, with the update and
> > database connect etc.. thanks
> > guys :)
> > this is not a problem(yet), more a thought.. is it
> > really necesary to
> > encrypt passwords, I mean, what does it prevent, me
> > from seeing them using
> > mysql.exe ? :p
> > I tried and it worked fine to almost all points..
> > worked with the user info
> > update and so on.. but I seem to do something wrong
> > and can't log back on
> > since I encrypted the password... :p
> > I used UPDATE users SET
> > password=password('$password') but by some reason I
> > can't seem to decrypt it on the login page.. any
> > help would again be
> > appreciated.. :)
> >
> > Hawk
> >
> >
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, e-mail:
> > [EMAIL PROTECTED]
> > For additional commands, e-mail:
> > [EMAIL PROTECTED]
> > To contact the list administrators, e-mail:
> > [EMAIL PROTECTED]
> >
>
>
>=
>Anas Mughal
>[EMAIL PROTECTED]
>[EMAIL PROTECTED]
>Tel: 973-249-6665
>
>__
>Do You Yahoo!?
>Send FREE video emails in Yahoo! Mail!
>http://promo.yahoo.com/videomail/
>
>--
>PHP General Mailing List (http://www.php.net/)
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
>To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] encrypting passwords etc..
We had a client who wanted us to encrypt their
passwords. Our argument was that maybe their database
is not well protected. Only the dba and the
application should have access to the database.
No-one else should be able to view their data anyways.
We didn't see any need to encrypt the passwords.
Any thoughts...
--- Hawk <[EMAIL PROTECTED]> wrote:
> Ok I got it working now, with the update and
> database connect etc.. thanks
> guys :)
> this is not a problem(yet), more a thought.. is it
> really necesary to
> encrypt passwords, I mean, what does it prevent, me
> from seeing them using
> mysql.exe ? :p
> I tried and it worked fine to almost all points..
> worked with the user info
> update and so on.. but I seem to do something wrong
> and can't log back on
> since I encrypted the password... :p
> I used UPDATE users SET
> password=password('$password') but by some reason I
> can't seem to decrypt it on the login page.. any
> help would again be
> appreciated.. :)
>
> Hawk
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail:
> [EMAIL PROTECTED]
> For additional commands, e-mail:
> [EMAIL PROTECTED]
> To contact the list administrators, e-mail:
> [EMAIL PROTECTED]
>
=
Anas Mughal
[EMAIL PROTECTED]
[EMAIL PROTECTED]
Tel: 973-249-6665
__
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
