Page 1 of 2 12 LastLast
Results 1 to 25 of 28
  1. #1

    Storing password in database

    Greetings,

    I have a MySQL/PHP site and I'm going to implement a member's area. I want to store their password online in the database of course but should I just use a mysql varchar field? Or for added security should I do something else? Any help would be greatly appreciated.

  2. #2
    Join Date
    Sep 2004
    Location
    Chicago, IL
    Posts
    214
    use MD5() in mysql to 1-way encrypt them
    Ben Lenard, MS, MBA
    TechMinds 4 Hire, Inc - (866) 214-1285 x 2001
    http://www.tm4h.com

  3. #3
    Join Date
    Dec 2002
    Location
    The Shadows
    Posts
    2,925
    Use a varchar field, and use md5() for one way encryption, or the openssl libraries for a more advanced encryption.

    Either way you do it, this is more a programming question.
    Dan Sheppard ~ Freelance whatever

  4. #4
    Join Date
    Feb 2005
    Location
    Seattle, Washington
    Posts
    147
    I would recommend using either md5 or sha1 (even better) to hash the password. This will protect it. If you want to take it a step further, you could ever use HMAC hashes.
    Regards,
    Matthew Fonda
    PHP Developer

  5. #5
    Now when I use MD5(), it gets stored in the database as a weird string, correct? How do I then compare what they type in when they log in to the value that's stored in the database?

  6. #6
    Join Date
    Feb 2005
    Location
    Seattle, Washington
    Posts
    147
    PHP Code:
    if (md5($user_input) == $password) {
    echo 
    'login ok';

    $user_input being what was entered in the login form
    $password being what is stored in the db

    however, better to use sha1 than md5
    Regards,
    Matthew Fonda
    PHP Developer

  7. #7
    Join Date
    May 2005
    Location
    Roanoke, VA
    Posts
    36
    SHA1 and MD5 both have demonstrated hash collisions. Some experts have gone so far as to label SHA1 "broken" due to the existence of techniques for this.
    You cooin' with my bird?

  8. #8
    Join Date
    Jun 2004
    Location
    Bay Area -USA
    Posts
    1,740
    What are the advantages of encrypting a password field. Cant people just unencrypt them rather easily?

    Just wondering
    <<< Please see Forum Guidelines for signature setup. >>>

  9. #9
    Join Date
    May 2005
    Location
    Chicago
    Posts
    31
    Originally posted by Sheps
    Use a varchar field, and use md5() for one way encryption, or the openssl libraries for a more advanced encryption.

    Either way you do it, this is more a programming question.
    Isnt this the programmig forum? Yes i would also use md5. I have also written a function that transforms the input into a variable the looks like md5 but it works off my key so if some gets my database that will not know where to start to hack it cause the key is pulled from another server.
    VPS Specialists. Dedicated. Colocation

  10. #10
    Join Date
    May 2005
    Location
    Roanoke, VA
    Posts
    36
    Originally posted by VolkNet
    What are the advantages of encrypting a password field. Cant people just unencrypt them rather easily?

    Just wondering
    No, because it's not "encryption". When a password is hashed, it's run through a very complex series of mathematical transformations which are intended to be "one-way"; that is, you can hash A to get B, but you can't "un-hash" or run it in reverse to go from B to A (running the hash function in reverse does not take you back to where you started, in other words).

    The security problem with hashing comes when it's possible to generate a "collision"; that means there are two different passwords which, when hashed, give the same result. This means you no longer need to find out the unique password, you just need to find something which hashes to the same value as the password, and depending on circumstances that may be much easier. All commonly-used hash functions have collisions, but they're designed to make it as hard as possible to find or generate them. In the case of SHA1, however, a method was recently found of generating collisions which was two thousand times faster than the previous fastest method, hence many crypto people now call it "broken".
    You cooin' with my bird?

  11. #11
    Join Date
    May 2004
    Posts
    500
    Is there any type of encryption that is alot more solid than md5 and sha1? They are the only types I know of (I think - I've probably heard of other ones but I can't remember them)

  12. #12
    Join Date
    May 2005
    Location
    Panama City, Rep. of Panama
    Posts
    9
    When you hash a string, you aren't encrypting it in the sense that a hash does not carrie the value of the hashed string in a way that it can be recovered. By hashing, you are creating a 'signature' value for the string you are hashing. There are many different formulas for hashing a string, some are mathemiatical, some are logical. But the basic gist of it, is that the MD5 will create a 128 bit hash value (in the form of a string) for a give string to be hashed that for all practical purposes is irreversible. In other words, once you hash the string it would be beyond any reasonable probability that the the original string could be produced from the MD5 hash and knowledge of how the implementation of the MD5 algorithm used to create the hash assuming this attack is being carried out by a member of 99.999999% of the population. ...however, before someone states the obvious... with enough computing power and time, any hash can be collided just as any encrypted string can be compromised.

    Back to passwords: You have to ask yourself, is it worth encrypting the password? In most commercial, non-mission-critical / non-information-sensitive applications it isn't. What are the chances that someone will try to use (many, many) repetitions to collide your hash? These types of attacks would use many repetitions of systematic passwords, not methodical use of MD5 vulnerabilities. Even if this were a concern, before encrypting passwords, I would take steps to slow down a brute force attacks on the password. I.E. Login attempt counts w/ account disable and/or login delay timers. It becomes a question of calculated risk, and in most cases encrypting a login password is just adding another scale to the big O. On the other hand when information protected by the password is worth over a certain point (you as the implementor, or your customer, have to define that point) then it becomes worth it to save your data encrypted in your password field. Further, if I really were worried about a system's security and I was going to encrypt my user info...I wouldn't be storing my data in something as secure as a MySQL data base.

    Back to the MD5 hash... someone posted that there are known vulnerabilities that can be used to collide with MD5 hashes without much effort, if my memory servers me correctly this is not true for MD5, it is true only for MD2 and MD4. Allot of work has been done to collide MD5 hashes. Vlastimil Klima, as far as I know was the latest to show that an MD5 hash could be collided in a couple hours with a notebook computer. Before him, and ten years earlier, the only others to succed int his used the power of a cluster of I.B.M. super computers! First of all this is not a trivial accomplishment... its not something a script kiddy is going to download and use to break into all sites with password fields that store MD5 hashes. Furthermore: To collide a hash, you need the hash itself! When your user is passing you a password, he can't (or at least shouldn't) see the hash which you are comparing it against. If your user has access to the table where you are storing your user names and password hashes...then you have problems of quite another scale.

    Francisco
    Last edited by albrookdata.com; 05-29-2005 at 07:36 PM.

  13. #13
    Join Date
    May 2005
    Location
    Panama City, Rep. of Panama
    Posts
    9
    Going back to the original question:

    I am assuming you are using a MySQL DBMS: I would use the PHP MD5 function to encrypt the string that is going to be saved in the database table. Then I usethe same PHP MD5 function to compare the inputed string from the user to the one found in the table. The reason I say to use the PHP MD5 function is because I have found cases where the MySQL MD5 function has not agreed with the PHP MD5 function. POSTGRES (a much better DBMS) doesn't have such problems.

    Here's a quick 'n' dirty example:

    if ($row['password'] === md5($_POST['password']))
    {
    print("Welcome!");
    }
    else
    {
    print("Shoo!");
    }

  14. #14
    Join Date
    Sep 2003
    Location
    Portugal
    Posts
    423
    The most common attack to HASHED passwords are dictionary attacks. To prevent this, or most of it, you should use an MD5 and a SALT value.

    Best regards.
    Software Project Manager and Architect
    .Net, SQL Server, PHP and MySql

  15. #15
    This may be obvious to most folks (as it is to me now), but at one point it wasn't: if you do use md5() or sha1() on your passwords, you won't be able to decrypt them to send them to a users email account (should you want to implement a "forgot password?" link).

    What you'll have to do instead is to, when a known email address requests a password be sent, reset that user's password to something - perhaps a series of numbers - and then send that password out to them. Then they can login, and change the password themselves to something they can remember.

  16. #16
    Join Date
    Jun 2004
    Location
    Bay Area -USA
    Posts
    1,740
    maybe you could create another database with a different username and password and store all the raw passwords there. Who knows though.
    <<< Please see Forum Guidelines for signature setup. >>>

  17. #17
    Join Date
    May 2005
    Location
    Planet Earth
    Posts
    813
    The best thing to do when 'reseting password' is to send an url to the user's email address with a link where he can reset his password without the need to enter the old one.

    Most websites are working that way nowadays (such as Google).
    PutFile.io — Disrupting traditional file hosting.
    █ Signup Early and enjoy Unlimited space/bandwidth for your files hosting, Forever!
    █ No Ads.
    █ No Countdowns.

  18. #18
    Join Date
    May 2004
    Location
    Singapore
    Posts
    263
    In the case of SHA1, however, a method was recently found of generating collisions which was two thousand times faster than the previous fastest method, hence many crypto people now call it "broken".
    If I remember correctly, the recent series of advances in that area is on pre-image attacks against the MD5 family of hashes, not collision attacks.
    Even then, SHA1 remains only theoretically broken from a practical point of view, though the situation can only get worse.

    But since the security here lies in collision resistance, this is not that much of a problem.
    The problem lies mainly in digital signatures.

    Furthermore, if the intention is merely to protect the original passwords (since access to the hashed passwords is presumably a security breach so severe that the attacker can get other sensitive info without having to actually use other passwords), then even MD4 may be sufficient (though I would nonetheless recommend SHA1, if you really want to use a hash from the MD5 family).
    #include<cstdio>
    char*s="#include<cstdio>%cchar*s=%c%s%c;%cint main(){std::printf(s,10,34,s,34,10);}";
    int main(){std::printf(s,10,34,s,34,10);}

  19. #19
    If the md5 password is simple- ie, 'photograph' or 'mustang16', I can crack it in a matter of hours or less just on a desktop pc, just using a normal wordlist hash brute forcer, let alone rainbow tables.

    Of course, I need to get the hash in the first place..
    So far I have not needed to make 31 posts thanks to the search function.

  20. #20
    Join Date
    May 2004
    Posts
    500
    Isn't the point of one way encrypting passwords for online forums and such so that if people hack into the MySQL server, they can't see all the members' passwords. They will just see hashes.

  21. #21
    Join Date
    Mar 2004
    Location
    california
    Posts
    162
    RSA is 192 bit encryption but I don't think anyone has implemented it in php. Also, when people use the term broken, they are talking about finding a collision in say, 3/4 of the time it would take normally (which is a very long time). I really wouldn't worry about your password safety, because if they could access your database, they could access your code more than likely. Then they wouldn't have to even crack the hash, as they could have the password in clear text.

  22. #22
    Join Date
    May 2004
    Posts
    500
    But if they saw the code all they would see is say; md5($password). They wouldn't be able to just go; un_md5($hash_in_the_database) because that's the point of md5, it only goes one way. So isn't the only way to crack md5 by brute force?

  23. #23

    Re: Storing password in database

    Originally posted by ChrisF79
    Greetings,

    I have a MySQL/PHP site and I'm going to implement a member's area. I want to store their password online in the database of course but should I just use a mysql varchar field? Or for added security should I do something else? Any help would be greatly appreciated.
    Use MD5 to encrypt the passwords and always compare the checksums. MD5 is an irreversible algorithm so if you have the checksum on the DB for the password, then you encrypt the password the user fed you and compare the checksums. If they match, the passwords were the same.

    The only drawback is that you really cannot send out password reminders, you need to reset the password every time the user forgets it...

  24. #24
    Join Date
    Mar 2004
    Location
    california
    Posts
    162
    Like I said, it doesn't matter about passwords, because if they could get to your database they can get into your program. Just make sure they can only attempt 3 times at logging in, and use a salt. Other than that, I'd use either MD5 or SHA1.

  25. #25
    Join Date
    Sep 2002
    Location
    Illinois
    Posts
    2,307
    I think it's better to secure database and access to it than passwords. If someone gets access to database than nothing else is needed. All information is stored there. Don't see how encrypted password would help is this case if other information if not encrypted.
    How's my programming? Call 1-800-DEV-NULL

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •