SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    SitePoint Wizard
    Join Date
    Apr 2000
    Posts
    1,483
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hey all,

    I'm writing a user account script for my new site and am trying to encrypt user's passwords. I have two requirements for this, hope they don't make it impossible
    -I can't install anything extra on the server, eg Apache Modules
    -I would like it to be easily de-cryptable so that I can have a "Lost Password" page that emails the password to the user

    Thanks in Advance!

  2. #2
    Dumb PHP codin' cat
    Join Date
    Aug 2000
    Location
    San Diego, CA
    Posts
    5,460
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    How are you storing the passwords? MySQL? There really isn't a good way to do this but it would be secure enough to store the passwords in MySQL then just email the password to the email address on file and don't output it to the screen.
    Please don't PM me with questions.
    Use the forums, that is what they are here for.

  3. #3
    Serial Publisher silver trophy aspen's Avatar
    Join Date
    Aug 1999
    Location
    East Lansing, MI USA
    Posts
    12,939
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You could write a really simple and generic encryption code.

    Basically you'd write a script that has a replacement for every letter in the alphabet and numbers of course. And then you'd just parse and replace the pw before storing it in the DB (I'm assuming you want it encrypted because there is some sort of public access to the DB, I dont know why else you'd want it thus) When when a password is requested it has to go back through the script in reverse order.

    Of course the problem with this is your script is open source and if someone can view it they can see how you're coding the PWs.

    <tangent>
    This is where Cold Fusion comes in handy. You can make a custom tag called <CF_PASSWORD PW = "attribute"> and then call it from your page and feed it the encrypted password and have it output and unencrypted one. And of course with cold fusion you can encrypt your scripts so no one would ever know what kind of encryption process you were using.
    </tangent>

    Chris

  4. #4
    SitePoint Zealot
    Join Date
    May 2000
    Posts
    150
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You could store the MD5 checksum of the password in the password field.

    Basically, the MD5 checksum is a unique set of characters generated for every unique password.

    No two MD5 strings will be the same, unless the original passwords were the same. And, there is no way to get back the original password.

    Read the mySQL manual for more info:
    Code:
    mysql> select MD5("testing")
            -> 'ae2b1fca515949e5d54fb22b8ed95575'
    
    There are other similar functions in mySQL that might interest you.
    This is not an encrypt/decrypt function, so you can't decrypt the password!

    If the user looses his password, you have to generate a NEW one and send it via email ON demand. This is actually a good thing!

    This solution should be language independent...

    Arpith

  5. #5
    SitePoint Wizard silver trophy Karl's Avatar
    Join Date
    Jul 1999
    Location
    Derbyshire, UK
    Posts
    4,411
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Try using the following MySQL functions:

    ENCODE( 'PASSWORD', 'ENCRYPTIONKEY' )

    and

    DECODE( 'ENCRYPTEDPASSWORD', 'ENCRYPTIONKEY' )

    They will allow you to retrieve the password if the user has forgoten it.
    Karl Austin :: Profile :: KDA Web Services Ltd.
    Business Web Hosting :: Managed Dedicated Hosting
    Call 0800 542 9764 today and ask how we can help your business grow.

  6. #6
    SitePoint Wizard
    Join Date
    Apr 2000
    Posts
    1,483
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for your help everyone I'll try out some of your suggestions this evening and post back

  7. #7
    SitePoint Wizard
    Join Date
    Apr 2000
    Posts
    1,483
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I decided to use the MD5 method...I couldn't make the encode() one work because there was an error about that being an invalid function.
    Thanks for your help everyone
    <Edited by James on 11-26-2000 at 04:15 AM>


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •