|
Post by sparrowhawk on Aug 31, 2004 13:57:02 GMT
A question for the other PHP/MySQL'ers out there. At the moment, passwords in MU are held in a plain text field. So somebody could access them relatively easily I suppose/fear.
Ideally, I'd like to encrypt the password so that neither a hacker nor myself for that matter can look at the value in the database and see what it is.
The MySQL function PASSWORD() does a one-way hash encryption, and this is where I am stuck. How do I handle the comparison of the encrypted value with the plain text value passed in by the user? Is another way better than PASSWORD() ?
I know zipadeedooda about encryption, so a Dummy's Guide type approach is best, I should think!
|
|
Freiegeister
Morkin Member
'Blasphemy is a victimless crime' - Dawkins
Posts: 1,126
|
Post by Freiegeister on Aug 31, 2004 20:24:32 GMT
A question for the other PHP/MySQL'ers out there. At the moment, passwords in MU are held in a plain text field. So somebody could access them relatively easily I suppose/fear. Ideally, I'd like to encrypt the password so that neither a hacker nor myself for that matter can look at the value in the database and see what it is. The MySQL function PASSWORD() does a one-way hash encryption, and this is where I am stuck. How do I handle the comparison of the encrypted value with the plain text value passed in by the user? Is another way better than PASSWORD() ? I know zipadeedooda about encryption, so a Dummy's Guide type approach is best, I should think! PASSWORD should be quite sufficient, as is any one way encryption scheme. The usual technique (not sure if this is the case with PASSWORD) is to encrypt the plain text value using the encrypted password as the salt, and then compare the two values.
|
|
|
Post by sparrowhawk on Sept 1, 2004 7:17:14 GMT
So in pseudo-code, assuming that:
"$plainPW" is the plain text password, and "$encryptedPW" is the enrypted one (via PASSWORD() )
Would it be:
if encrypt($plainPW, $encryptedPW) = $encryptedPW then OK else NOT OK
where the encrypt() function takes 2 parameters: 1 = plain text 2 = salt
Something like that?
|
|
Freiegeister
Morkin Member
'Blasphemy is a victimless crime' - Dawkins
Posts: 1,126
|
Post by Freiegeister on Sept 1, 2004 20:34:46 GMT
So in pseudo-code, assuming that: "$plainPW" is the plain text password, and "$encryptedPW" is the enrypted one (via PASSWORD() ) Would it be: if encrypt($plainPW, $encryptedPW) = $encryptedPW then OK else NOT OK
where the encrypt() function takes 2 parameters: 1 = plain text 2 = salt Something like that? Correct, and you could use the encrypt function without the salt to initially encrypt the password as well. Are the two functions compatible?
|
|