Solved

How should I safely store a password in MySQL database?

Posted on 2011-03-25
8
412 Views
Last Modified: 2012-05-11
Dear Experts,
I use PHP.
How should I safely store a password in MySQL database?
How should I insert a password into MySQL database?
thank you
0
Comment
Question by:Braveheartli
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 10

Expert Comment

by:aboo_s
ID: 35213275
You should first encrypt it and then isert it into the database!
0
 
LVL 10

Assisted Solution

by:aboo_s
aboo_s earned 50 total points
ID: 35213338
for the encryption there are a lot of functions in php, one of wich is md5.
md5($pwd)

here is a page with full explanation on how to use it:
http://php.net/manual/en/function.md5.php

other similar functions are: sha1 and hash ..and others..
0
 
LVL 1

Expert Comment

by:merjasec
ID: 35213372
You must use one way encryption php function crypt.

http://php.net/manual/en/function.crypt.php


0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 36

Assisted Solution

by:Loganathan Natarajan
Loganathan Natarajan earned 50 total points
ID: 35213483
best way is MD5 ...

$your_pwd = "sometext";

$encryped_password = md5($your_pwd);
0
 
LVL 4

Accepted Solution

by:
m_walker earned 200 total points
ID: 35213536
You need to work out IF you need to be able to access the password in the clear or not.
if you are storing passwords to see if a remote users supplies the correct "logon" password then you do NOT need to get access to the clear text version.  If you do need the password in clear text, e.g. its to store all the passwords you use to logon to other sites or services/databases etc then you DO.

If you dont need the clear text version use a HASH as others have already said.
Note: MD5 is a HASH not an encryption.  Hashing is one way, encryption can be undone/decrypted.
MD5 is being replaced by the stronger sha.

If you need to encrypt then use something like AES, DES is old and considered weak and AES is faster then 3DES.

When hashing or encrypting, its best to salt the password some how.
A simple way to salt an MD5 hash is to cat the username to the password and hash.
eg: Username : Bob, Password : hello
HASH = md5 ("BobHello")
this way even if two passwords are the same in the database the hash/encrypted data will be different.  Why is this better, lets say my password as hello and I get access to the database, if no salt is used, then all password hash's that are the same as mine have the password hello.

On top of the storage of the passwords, if they are used for web access to a site, you need to consider how these passwords will go over the internet.  The simplest is via an SSL page, but you need an SSL Certificate for your site.
The next best is to use a srcipt to take the password the user keys in and create the hash in the same was as you used to store in the database, then hash again with a session salt (a one off salt).  When the password gets to your server, read the hash from the database, and hash again with the same session salt and see if the match.  This ensures that someone cant playback a logon session.


0
 
LVL 9

Assisted Solution

by:gtkfreak
gtkfreak earned 200 total points
ID: 35225556
Never encrypt the password and store it in the MySQL database field. Always store a hash of the password. From what I know, MD5 does have a vulnerability but you should be okay using SHA256. MD5 or SHA256 are hashing algorithms, and will always convert the password entered by the user into a one-way hash value that can never lead to the revelation of the password of the user. Using hash functions also gives you a safeguard that even administrators cannot decrypt or derive the password from the hash.
0
 
LVL 1

Author Closing Comment

by:Braveheartli
ID: 35230482
thank you.
0
 
LVL 11

Expert Comment

by:f_o_o_k_y
ID: 35230691
The best way to store password in databest, is to use md5 + salt.
It mean, that You have to genrate one, random word, and mix it with password.

$secret = 'ItIsMyHugeSecret-AndSomeSpecials!@#$%';

and store it in the script.

then generate md5:

$md5 = md5( $secret . $user_password );

and validate:

if( md5( $secret . $post_password ) == $md5 )
{
echo 'access ok';
}
else
{
echo 'access deny';
}
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Ransomware is a growing menace to anyone using a computer or mobile device. Here are answers to some common questions about this vicious new form of malware.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question