[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

How should I safely store a password in MySQL database?

Posted on 2011-03-25
8
Medium Priority
?
418 Views
Last Modified: 2012-05-11
Dear Experts,
I use PHP.
How should I safely store a password in MySQL database?
How should I insert a password into MySQL database?
thank you
0
Comment
Question by:Braveheartli
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 10

Expert Comment

by:aboo_s
ID: 35213275
You should first encrypt it and then isert it into the database!
0
 
LVL 10

Assisted Solution

by:aboo_s
aboo_s earned 200 total points
ID: 35213338
for the encryption there are a lot of functions in php, one of wich is md5.
md5($pwd)

here is a page with full explanation on how to use it:
http://php.net/manual/en/function.md5.php

other similar functions are: sha1 and hash ..and others..
0
 
LVL 1

Expert Comment

by:merjasec
ID: 35213372
You must use one way encryption php function crypt.

http://php.net/manual/en/function.crypt.php


0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
LVL 36

Assisted Solution

by:Loganathan Natarajan
Loganathan Natarajan earned 200 total points
ID: 35213483
best way is MD5 ...

$your_pwd = "sometext";

$encryped_password = md5($your_pwd);
0
 
LVL 4

Accepted Solution

by:
m_walker earned 800 total points
ID: 35213536
You need to work out IF you need to be able to access the password in the clear or not.
if you are storing passwords to see if a remote users supplies the correct "logon" password then you do NOT need to get access to the clear text version.  If you do need the password in clear text, e.g. its to store all the passwords you use to logon to other sites or services/databases etc then you DO.

If you dont need the clear text version use a HASH as others have already said.
Note: MD5 is a HASH not an encryption.  Hashing is one way, encryption can be undone/decrypted.
MD5 is being replaced by the stronger sha.

If you need to encrypt then use something like AES, DES is old and considered weak and AES is faster then 3DES.

When hashing or encrypting, its best to salt the password some how.
A simple way to salt an MD5 hash is to cat the username to the password and hash.
eg: Username : Bob, Password : hello
HASH = md5 ("BobHello")
this way even if two passwords are the same in the database the hash/encrypted data will be different.  Why is this better, lets say my password as hello and I get access to the database, if no salt is used, then all password hash's that are the same as mine have the password hello.

On top of the storage of the passwords, if they are used for web access to a site, you need to consider how these passwords will go over the internet.  The simplest is via an SSL page, but you need an SSL Certificate for your site.
The next best is to use a srcipt to take the password the user keys in and create the hash in the same was as you used to store in the database, then hash again with a session salt (a one off salt).  When the password gets to your server, read the hash from the database, and hash again with the same session salt and see if the match.  This ensures that someone cant playback a logon session.


0
 
LVL 9

Assisted Solution

by:gtkfreak
gtkfreak earned 800 total points
ID: 35225556
Never encrypt the password and store it in the MySQL database field. Always store a hash of the password. From what I know, MD5 does have a vulnerability but you should be okay using SHA256. MD5 or SHA256 are hashing algorithms, and will always convert the password entered by the user into a one-way hash value that can never lead to the revelation of the password of the user. Using hash functions also gives you a safeguard that even administrators cannot decrypt or derive the password from the hash.
0
 
LVL 1

Author Closing Comment

by:Braveheartli
ID: 35230482
thank you.
0
 
LVL 11

Expert Comment

by:f_o_o_k_y
ID: 35230691
The best way to store password in databest, is to use md5 + salt.
It mean, that You have to genrate one, random word, and mix it with password.

$secret = 'ItIsMyHugeSecret-AndSomeSpecials!@#$%';

and store it in the script.

then generate md5:

$md5 = md5( $secret . $user_password );

and validate:

if( md5( $secret . $post_password ) == $md5 )
{
echo 'access ok';
}
else
{
echo 'access deny';
}
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this series, we will discuss common questions received as a database Solutions Engineer at Percona. In this role, we speak with a wide array of MySQL and MongoDB users responsible for both extremely large and complex environments to smaller singl…
In this blog, we’ll look at how improvements to Percona XtraDB Cluster improved IST performance.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question