hey there,
i’d like some opinions on how to securely store and read passwords on an sql database. right now i’m just storing the hash of the password using md5, then if i want to compare the passwords its just hashing the user’s input password and comparing it to the one stored on the db. any other methods?
chris
use either md5() or the crypt() function than store the crypted or md5() in the db. ( better to use mysql instead of sql ( sql not that secure if you really want to have the best )
than when checking the pass / user agains that crypted or md5 use something like this.
$query = "SELECT * FROM users WHERE uname='$username' AND passwd=MD5('$password')";
same for the crypt
if you mean MS SQL, mySQL is not as feature rich and powerful as MS SQL. You won’t find enterprise level companies using mySQL.
Security is only as good as the person administrating it. There is nothing wrong with MS SQL (other than it is owned by Microsoft 
).
Probably the weakest link is when the user connects to the server via the browser. The rest is happening server-side. If you have an SSL or shared SSL connection then use it for the login page.
MD5 provides good security. Of course, in theory it’s possible to decrypt an MD5 hash, but that’s strictly in theory (I think some dude found a collision a while ago, made Slashdot)
what about user information such as their telephone numbers, address, and others, this is just plain text in a database? the weakest link then is the database, someone could break in and get the user information.
a scenario: i log in, pull out my info from a database. someone could be sniffing packs while the info is being sent to me, whats the best way to encrypt that data? i have a feeling its SSL.
chris
Nothing stopping you from encrypting that info as well. In order for them to access your database they would have to get into your server and either log in (if they figure out your database password) or copy the database from the /var directory, if it’s there and the hosting company isn’t bright enough to limit user access to the system. So your weakest link isn’t going to be the server, unless you have a weak server OR the host doesn’t jail the shared server well.
a scenario: i log in, pull out my info from a database. someone could be sniffing packs while the info is being sent to me, whats the best way to encrypt that data? i have a feeling its SSL.
chris
Like I just mentioned before, use an SSL cert for you login page, because really that is the weakest link. You can encrypt all you want, but it still gets sent in plain text from your browser to the server. Hopefully your host has a shared SSL cert or you can spend the $100+ and get a legitimate one. (Don’t settle for a $25 cert as it’s a bout as useful as a free shared one)
ok thanks marble, im gonna have to look into enc/decrypt functions and ssl
chris
md5 is an encryption algorithm. So using a hash and md5 is pretty hard to crack.
md5 is a hashing algorithm, a one way function. its no good to me if i can’t decrypt an md5 hashed information, such as their street address or telephone number, based only on their username/password.
however i can use those as keys using another encryption/decryption method, like those in the mcrypt library.
chris
Well… I remember trying to using a tool that I have downloaded from the google search result a while ago to test how easy/hard it is to decrypt the string that was encrypted with MD5… It ran 6 character password for 10 minutes or something… Well… The result was correct one though… 
:-/
:: Copyright KIRUPA 2024 //--