Solved

How should I safely store a password in MySQL database?

Posted on 2011-03-25
8
407 Views
Last Modified: 2012-05-11
Dear Experts,
I use PHP.
How should I safely store a password in MySQL database?
How should I insert a password into MySQL database?
thank you
0
Comment
Question by:Braveheartli
8 Comments
 
LVL 10

Expert Comment

by:aboo_s
ID: 35213275
You should first encrypt it and then isert it into the database!
0
 
LVL 10

Assisted Solution

by:aboo_s
aboo_s earned 50 total points
ID: 35213338
for the encryption there are a lot of functions in php, one of wich is md5.
md5($pwd)

here is a page with full explanation on how to use it:
http://php.net/manual/en/function.md5.php

other similar functions are: sha1 and hash ..and others..
0
 
LVL 1

Expert Comment

by:merjasec
ID: 35213372
You must use one way encryption php function crypt.

http://php.net/manual/en/function.crypt.php


0
 
LVL 36

Assisted Solution

by:Loganathan Natarajan
Loganathan Natarajan earned 50 total points
ID: 35213483
best way is MD5 ...

$your_pwd = "sometext";

$encryped_password = md5($your_pwd);
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 4

Accepted Solution

by:
m_walker earned 200 total points
ID: 35213536
You need to work out IF you need to be able to access the password in the clear or not.
if you are storing passwords to see if a remote users supplies the correct "logon" password then you do NOT need to get access to the clear text version.  If you do need the password in clear text, e.g. its to store all the passwords you use to logon to other sites or services/databases etc then you DO.

If you dont need the clear text version use a HASH as others have already said.
Note: MD5 is a HASH not an encryption.  Hashing is one way, encryption can be undone/decrypted.
MD5 is being replaced by the stronger sha.

If you need to encrypt then use something like AES, DES is old and considered weak and AES is faster then 3DES.

When hashing or encrypting, its best to salt the password some how.
A simple way to salt an MD5 hash is to cat the username to the password and hash.
eg: Username : Bob, Password : hello
HASH = md5 ("BobHello")
this way even if two passwords are the same in the database the hash/encrypted data will be different.  Why is this better, lets say my password as hello and I get access to the database, if no salt is used, then all password hash's that are the same as mine have the password hello.

On top of the storage of the passwords, if they are used for web access to a site, you need to consider how these passwords will go over the internet.  The simplest is via an SSL page, but you need an SSL Certificate for your site.
The next best is to use a srcipt to take the password the user keys in and create the hash in the same was as you used to store in the database, then hash again with a session salt (a one off salt).  When the password gets to your server, read the hash from the database, and hash again with the same session salt and see if the match.  This ensures that someone cant playback a logon session.


0
 
LVL 9

Assisted Solution

by:gtkfreak
gtkfreak earned 200 total points
ID: 35225556
Never encrypt the password and store it in the MySQL database field. Always store a hash of the password. From what I know, MD5 does have a vulnerability but you should be okay using SHA256. MD5 or SHA256 are hashing algorithms, and will always convert the password entered by the user into a one-way hash value that can never lead to the revelation of the password of the user. Using hash functions also gives you a safeguard that even administrators cannot decrypt or derive the password from the hash.
0
 
LVL 1

Author Closing Comment

by:Braveheartli
ID: 35230482
thank you.
0
 
LVL 11

Expert Comment

by:f_o_o_k_y
ID: 35230691
The best way to store password in databest, is to use md5 + salt.
It mean, that You have to genrate one, random word, and mix it with password.

$secret = 'ItIsMyHugeSecret-AndSomeSpecials!@#$%';

and store it in the script.

then generate md5:

$md5 = md5( $secret . $user_password );

and validate:

if( md5( $secret . $post_password ) == $md5 )
{
echo 'access ok';
}
else
{
echo 'access deny';
}
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
This article discusses four methods for overlaying images in a container on a web page
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now