• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 422
  • Last Modified:

How should I safely store a password in MySQL database?

Dear Experts,
I use PHP.
How should I safely store a password in MySQL database?
How should I insert a password into MySQL database?
thank you
0
Braveheartli
Asked:
Braveheartli
4 Solutions
 
aboo_sCommented:
You should first encrypt it and then isert it into the database!
0
 
aboo_sCommented:
for the encryption there are a lot of functions in php, one of wich is md5.
md5($pwd)

here is a page with full explanation on how to use it:
http://php.net/manual/en/function.md5.php

other similar functions are: sha1 and hash ..and others..
0
 
merjasecCommented:
You must use one way encryption php function crypt.

http://php.net/manual/en/function.crypt.php


0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
Loganathan NatarajanLAMP DeveloperCommented:
best way is MD5 ...

$your_pwd = "sometext";

$encryped_password = md5($your_pwd);
0
 
m_walkerCommented:
You need to work out IF you need to be able to access the password in the clear or not.
if you are storing passwords to see if a remote users supplies the correct "logon" password then you do NOT need to get access to the clear text version.  If you do need the password in clear text, e.g. its to store all the passwords you use to logon to other sites or services/databases etc then you DO.

If you dont need the clear text version use a HASH as others have already said.
Note: MD5 is a HASH not an encryption.  Hashing is one way, encryption can be undone/decrypted.
MD5 is being replaced by the stronger sha.

If you need to encrypt then use something like AES, DES is old and considered weak and AES is faster then 3DES.

When hashing or encrypting, its best to salt the password some how.
A simple way to salt an MD5 hash is to cat the username to the password and hash.
eg: Username : Bob, Password : hello
HASH = md5 ("BobHello")
this way even if two passwords are the same in the database the hash/encrypted data will be different.  Why is this better, lets say my password as hello and I get access to the database, if no salt is used, then all password hash's that are the same as mine have the password hello.

On top of the storage of the passwords, if they are used for web access to a site, you need to consider how these passwords will go over the internet.  The simplest is via an SSL page, but you need an SSL Certificate for your site.
The next best is to use a srcipt to take the password the user keys in and create the hash in the same was as you used to store in the database, then hash again with a session salt (a one off salt).  When the password gets to your server, read the hash from the database, and hash again with the same session salt and see if the match.  This ensures that someone cant playback a logon session.


0
 
gtkfreakCommented:
Never encrypt the password and store it in the MySQL database field. Always store a hash of the password. From what I know, MD5 does have a vulnerability but you should be okay using SHA256. MD5 or SHA256 are hashing algorithms, and will always convert the password entered by the user into a one-way hash value that can never lead to the revelation of the password of the user. Using hash functions also gives you a safeguard that even administrators cannot decrypt or derive the password from the hash.
0
 
BraveheartliMarketingAuthor Commented:
thank you.
0
 
f_o_o_k_yCommented:
The best way to store password in databest, is to use md5 + salt.
It mean, that You have to genrate one, random word, and mix it with password.

$secret = 'ItIsMyHugeSecret-AndSomeSpecials!@#$%';

and store it in the script.

then generate md5:

$md5 = md5( $secret . $user_password );

and validate:

if( md5( $secret . $post_password ) == $md5 )
{
echo 'access ok';
}
else
{
echo 'access deny';
}
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now