[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2286
  • Last Modified:

Need help understanding proper use of AES_ENCRYPT and AES_DECRYPT to encrypt passwords

I'm new to this. In tblMembers I have the field "pwd" for password. A new member will be filling in a form on my webpage to join (I'm using Dreamweaver and Coldfusion for the website; MySQL for the database). I want to be sure that the passwords in my database are totally secure. I think I need to use AES_ENCRYPT and AES_DECRPYT to do this. But I don't quite get the concept of the "key". How do I specify it? Do I just put any old string into the function, like this?..

INSERT INTO pwd VALUES (1, AES_ENCRYPT(pwd,'MySecurePasswordKey') ???
and then to retrieve the password later:
SELECT AES_DECRYPT(pwd,'MySecurePasswordKey') FROM .... (etc)

So I would use the same key for every password in my database?
Can anyone ever get to my code and read what the key is? How is it protected?

AND will I need to "order an SSL certificate" from my ISP in order to use these functions?

Thanks.
0
alicia1234
Asked:
alicia1234
1 Solution
 
Kim RyanIT ConsultantCommented:
Yes the code looks right and you always use the same key, just a string that is eay for you to remeber but hard for others to guess. Quoting from MySQL manual...
---
 These functions allow encryption and decryption of data using the official AES (Advanced Encryption Standard) algorithm, previously known as “Rijndael.” Encoding with a 128-bit key length is used, but you can extend it up to 256 bits by modifying the source. We chose 128 bits because it is much faster and it is secure enough for most purposes.
---

You may need to say:  SELECT AES_DECRYPT(pwd,'MySecurePasswordKey') as pwd FROM
You do not need any SSL certificate. The AES alogoritm is implemented completely within MySQL. SSL is for encrytping all the dat trnasmitted during a session.
0
 
alicia1234Author Commented:
Thank you!
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Tackle projects and never again get stuck behind a technical roadblock.
Join Now