Need help understanding proper use of AES_ENCRYPT and AES_DECRYPT to encrypt passwords

Posted on 2006-05-14
Last Modified: 2012-05-05
I'm new to this. In tblMembers I have the field "pwd" for password. A new member will be filling in a form on my webpage to join (I'm using Dreamweaver and Coldfusion for the website; MySQL for the database). I want to be sure that the passwords in my database are totally secure. I think I need to use AES_ENCRYPT and AES_DECRPYT to do this. But I don't quite get the concept of the "key". How do I specify it? Do I just put any old string into the function, like this?..

INSERT INTO pwd VALUES (1, AES_ENCRYPT(pwd,'MySecurePasswordKey') ???
and then to retrieve the password later:
SELECT AES_DECRYPT(pwd,'MySecurePasswordKey') FROM .... (etc)

So I would use the same key for every password in my database?
Can anyone ever get to my code and read what the key is? How is it protected?

AND will I need to "order an SSL certificate" from my ISP in order to use these functions?

Question by:alicia1234
    LVL 19

    Accepted Solution

    Yes the code looks right and you always use the same key, just a string that is eay for you to remeber but hard for others to guess. Quoting from MySQL manual...
     These functions allow encryption and decryption of data using the official AES (Advanced Encryption Standard) algorithm, previously known as “Rijndael.” Encoding with a 128-bit key length is used, but you can extend it up to 256 bits by modifying the source. We chose 128 bits because it is much faster and it is secure enough for most purposes.

    You may need to say:  SELECT AES_DECRYPT(pwd,'MySecurePasswordKey') as pwd FROM
    You do not need any SSL certificate. The AES alogoritm is implemented completely within MySQL. SSL is for encrytping all the dat trnasmitted during a session.

    Author Comment

    Thank you!

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Introduction In this installment of my SQL tidbits, I will be looking at parsing Extensible Markup Language (XML) directly passed as string parameters to MySQL 5.1.5 or higher. These would be instances where LOAD_FILE (…
    Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now