?
Solved

How should I safely store a password in MySQL database?

Posted on 2011-03-25
8
Medium Priority
?
417 Views
Last Modified: 2012-05-11
Dear Experts,
I use PHP.
How should I safely store a password in MySQL database?
How should I insert a password into MySQL database?
thank you
0
Comment
Question by:Braveheartli
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 10

Expert Comment

by:aboo_s
ID: 35213275
You should first encrypt it and then isert it into the database!
0
 
LVL 10

Assisted Solution

by:aboo_s
aboo_s earned 200 total points
ID: 35213338
for the encryption there are a lot of functions in php, one of wich is md5.
md5($pwd)

here is a page with full explanation on how to use it:
http://php.net/manual/en/function.md5.php

other similar functions are: sha1 and hash ..and others..
0
 
LVL 1

Expert Comment

by:merjasec
ID: 35213372
You must use one way encryption php function crypt.

http://php.net/manual/en/function.crypt.php


0
Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

 
LVL 36

Assisted Solution

by:Loganathan Natarajan
Loganathan Natarajan earned 200 total points
ID: 35213483
best way is MD5 ...

$your_pwd = "sometext";

$encryped_password = md5($your_pwd);
0
 
LVL 4

Accepted Solution

by:
m_walker earned 800 total points
ID: 35213536
You need to work out IF you need to be able to access the password in the clear or not.
if you are storing passwords to see if a remote users supplies the correct "logon" password then you do NOT need to get access to the clear text version.  If you do need the password in clear text, e.g. its to store all the passwords you use to logon to other sites or services/databases etc then you DO.

If you dont need the clear text version use a HASH as others have already said.
Note: MD5 is a HASH not an encryption.  Hashing is one way, encryption can be undone/decrypted.
MD5 is being replaced by the stronger sha.

If you need to encrypt then use something like AES, DES is old and considered weak and AES is faster then 3DES.

When hashing or encrypting, its best to salt the password some how.
A simple way to salt an MD5 hash is to cat the username to the password and hash.
eg: Username : Bob, Password : hello
HASH = md5 ("BobHello")
this way even if two passwords are the same in the database the hash/encrypted data will be different.  Why is this better, lets say my password as hello and I get access to the database, if no salt is used, then all password hash's that are the same as mine have the password hello.

On top of the storage of the passwords, if they are used for web access to a site, you need to consider how these passwords will go over the internet.  The simplest is via an SSL page, but you need an SSL Certificate for your site.
The next best is to use a srcipt to take the password the user keys in and create the hash in the same was as you used to store in the database, then hash again with a session salt (a one off salt).  When the password gets to your server, read the hash from the database, and hash again with the same session salt and see if the match.  This ensures that someone cant playback a logon session.


0
 
LVL 9

Assisted Solution

by:gtkfreak
gtkfreak earned 800 total points
ID: 35225556
Never encrypt the password and store it in the MySQL database field. Always store a hash of the password. From what I know, MD5 does have a vulnerability but you should be okay using SHA256. MD5 or SHA256 are hashing algorithms, and will always convert the password entered by the user into a one-way hash value that can never lead to the revelation of the password of the user. Using hash functions also gives you a safeguard that even administrators cannot decrypt or derive the password from the hash.
0
 
LVL 1

Author Closing Comment

by:Braveheartli
ID: 35230482
thank you.
0
 
LVL 11

Expert Comment

by:f_o_o_k_y
ID: 35230691
The best way to store password in databest, is to use md5 + salt.
It mean, that You have to genrate one, random word, and mix it with password.

$secret = 'ItIsMyHugeSecret-AndSomeSpecials!@#$%';

and store it in the script.

then generate md5:

$md5 = md5( $secret . $user_password );

and validate:

if( md5( $secret . $post_password ) == $md5 )
{
echo 'access ok';
}
else
{
echo 'access deny';
}
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Businesses who process credit card payments have to adhere to PCI Compliance standards. Here’s why that’s important.
In this blog post, we’ll look at how ClickHouse performs in a general analytical workload using the star schema benchmark test.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question