SitePoint Sponsor

User Tag List

Results 1 to 8 of 8

Thread: **** passwords

  1. #1
    SitePoint Evangelist nick0161's Avatar
    Join Date
    Oct 2004
    Location
    australia
    Posts
    424
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    **** passwords

    does anyone know how to make data in mysql table appear as ****
    cos i store users passwords in a table, and it just appears as they write it..

    or do they just have to bear the fact i know their passwords,


    thanks


    ----
    nick
    ----

  2. #2
    SitePoint Wizard silver trophy redemption's Avatar
    Join Date
    Sep 2001
    Location
    Singapore
    Posts
    5,269
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You should encode the passwords before storing them into your MySQL table. The MySQL PASSWORD() function does that, but I'd suggest you use something like md5 to hash the passwords (see http://php.net/md5). This way, when you try to match passwords, you always have to pass it through md5 first.

    Let me know if any of this doesn't make sense to you

  3. #3
    SitePoint Enthusiast asp.da's Avatar
    Join Date
    Nov 2004
    Location
    forest
    Posts
    39
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    By the may, make sure that you have a long enough field to store the encrypted passwords in the database - the hash code produced by those functions (especially MD5) is much longer than the original passwords.

    I spent a couple of unpleasant hours recently trying to find out why my authentication code doesn't work, until found that the result of PASSWORD() is being truncated when put into my narrow column .

    And, redemption, why do you think md5 is better? More reliable?

    With MySQL you can use MD5() function just the same way you use PASSWORD().

  4. #4
    SitePoint Enthusiast
    Join Date
    Jun 2003
    Location
    Klagenfurt / Austria
    Posts
    77
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    PASSWORD encrypts the password (and can be decrypted again) while md5 is a one-way-hash. Meaning that the password can't be decrypted again. To check your password against the password stored in the database you then have to md5 the input and compare it to the stored password

    (I hope this sentence was at least half-way english Sorry, it's early *g* )

  5. #5
    SitePoint Enthusiast asp.da's Avatar
    Join Date
    Nov 2004
    Location
    forest
    Posts
    39
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yeah, but as much as I've read about PASSWORD() it is also a one-way hash, i.e. it cannot be decripted. And it produces a significantly shorter code than MD5() which might matter if you've got thousands of records in the database...

  6. #6
    SitePoint Enthusiast
    Join Date
    Jun 2003
    Location
    Klagenfurt / Austria
    Posts
    77
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Oops sorry, mistook it for the ENCRYPT function

  7. #7
    SitePoint Wizard stereofrog's Avatar
    Join Date
    Apr 2004
    Location
    germany
    Posts
    4,324
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    There are several issues with PASSWORD() (see http://dev.mysql.com/doc/mysql/en/Password_hashing.html). Generally, PASSWORD() is for mysql internal use only, application authors should use md5() or sha().

    As to field size it's not a problem unless you have really huge tables.

  8. #8
    SitePoint Wizard silver trophy redemption's Avatar
    Join Date
    Sep 2001
    Location
    Singapore
    Posts
    5,269
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes stereofrog is right. There is also the issue of pre-4.1.x and 4.1.x compatibility, since the hashing mechanism has changed for PASSWORD().

    Also, on the issue of field sizes, md5 hashes are either 16 or 32 characters wide, so just set your field size to that.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •