SitePoint Sponsor

User Tag List

Results 1 to 16 of 16
  1. #1
    midnight coder
    Join Date
    Dec 2000
    Location
    The flat edge of the world
    Posts
    838
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I have a simple register and post msgs script.

    People sign up, and I add them to MySQL like:

    Code:
    $sql = mysql_query ("INSERT INTO rave (user, pass, email) VALUES ('$user',PASSWORD('$pass'),'$email')")
    And when they want to login, I check their user and pass like:

    Code:
    $sql = mysql_query ("SELECT * FROM rave WHERE user='$user' AND pass=PASSWORD('$pass')")
    Obviously, when I look at the db, all the passwords are scrambled. So, if a user forgot his password, what do I do?

  2. #2
    Feel my RewiredMind KMxRetro's Avatar
    Join Date
    Jan 2001
    Location
    Exeter, Devon, UK
    Posts
    477
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    How are the passwords scrambled?

    Looking at your queries, the passwords should be in plain text. I would recommend finding how the passwords are scrambled, reverse it, and put it into a new script so that you can find out passwords in the future.

  3. #3
    midnight coder
    Join Date
    Dec 2000
    Location
    The flat edge of the world
    Posts
    838
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The passwords are scramble by this:

    PASSWORD('$pass')

    The PASSWORD() is the thing that scrambles the variable. I have no idea how it scrambles it, or reverse it.

  4. #4
    SitePoint Wizard johnn's Avatar
    Join Date
    Mar 2001
    Location
    Southern California, USA
    Posts
    1,181
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You could use a random function to generate a new password and send it to him by using the email the user provides.

    john

  5. #5
    ********* Callithumpian silver trophy freakysid's Avatar
    Join Date
    Jun 2000
    Location
    Sydney, Australia
    Posts
    3,798
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    hehe - this sent me off to the manual. It appears that PASSWORD() encryption is non-reversable. http://www.mysql.com/doc/M/i/Miscell...functions.html Ther are other functions discussed there that use UNIX crypt() function that are decodable.

    You are going to have assign the user another password and insert that into their record in the table.

  6. #6
    Dumb PHP codin' cat
    Join Date
    Aug 2000
    Location
    San Diego, CA
    Posts
    5,460
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Freakysid is correct, MySQL passwords created using the password() function in MySQL or not reversible, and another passsword will need to be issued. Its a security thing.
    Please don't PM me with questions.
    Use the forums, that is what they are here for.

  7. #7
    midnight coder
    Join Date
    Dec 2000
    Location
    The flat edge of the world
    Posts
    838
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Oh ok then, no prob, thanks for the help!

  8. #8
    SitePoint Zealot DarkMonkey's Avatar
    Join Date
    Apr 2001
    Location
    uk
    Posts
    170
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Why would you need to encrypt the passwords? Is this a secure site or something, I mean I'd kinda understand if the password gave you access to their credit card info or something, in that case you wouldn't want anyone getting hold of the pass, but otherwhise?

  9. #9
    midnight coder
    Join Date
    Dec 2000
    Location
    The flat edge of the world
    Posts
    838
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    People don't like it when passwords are store in plain text which the Admin (me) can read, since most people has a single password for everything.

  10. #10
    SitePoint Zealot DarkMonkey's Avatar
    Join Date
    Apr 2001
    Location
    uk
    Posts
    170
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yeah, however your not going to do anything with them, in fact if you have the ethics to encrypt on your readers wishes, then you have the ethics not to look at their passes, surely

  11. #11
    midnight coder
    Join Date
    Dec 2000
    Location
    The flat edge of the world
    Posts
    838
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    But what happens if a cracker finds a security hole in MySQL and gain access to the db?

    At worse, the cracker would delete the db (which I backup).

    Users appreciates all the security features they get.

  12. #12
    SitePoint Enthusiast nguip's Avatar
    Join Date
    Apr 2001
    Location
    Malaysia
    Posts
    95
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'm not sure how secure this encrytion is it.. but do the user actually know.. on which website their password is being encrypted?

    I mean how does the user actually certain of their password being encrypted. Some website do store pasword in plain text.

    Personaly I don't really know how many site that I'm registered.. actually practising this encryption method.

    Does anyone have an idea ?
    Ngu I.P.
    Web Developer

  13. #13
    SitePoint Columnist Skunk's Avatar
    Join Date
    Jan 2001
    Location
    Lawrence, Kansas
    Posts
    2,066
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Site's don't tend to say if they store your password in an encrypted way or not - most users don't care too much about the inner workings of the site as long as their password isn't about to be handed out to whoever wants it.

    Encrypting a users password for storage is the ethical way of doing it, and also helps avoid embarresment if a hacker breaks in and gets to your password data. Example: I used to use the same password for all of my forum accounts (I'm registered on a lot of forums). One of the forums I was using got hacked, and the entire username/password list (stored in plain text) was taken by a script kiddie / cracker. He handed it round to a load of his mates, one of whom was a poster on another of the forums I visit. He then posted a message using my account saying "Ooops I've got Skunk's Password" - I changed my password straight away.

    I was lucky that this guy is someone I know and wasn't out to cause any damage - the forums in question were the gameplay forums where I am an administrator! As a result the guy could have used my password to log into the control panel and do all kinds of damage to the forums.

    I have since adapted a much safer password policy of having several different passwords at different security levels - I only use the top level security one on sites that I'm 100% confident I can trust.

  14. #14
    SitePoint Enthusiast nguip's Avatar
    Join Date
    Apr 2001
    Location
    Malaysia
    Posts
    95
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ic ...

    Thanks for your input skunk..

    I think it's a good idea of applying different password for different security level.

    Well, initially I thought there is no point to implement password encryption sinmply because the users doesn't actually care about this... but look like it's a wise thing to do here mainly because of ethic and to advoice ambarassing situation ...

    Anyway thanks a lot.
    Ngu I.P.
    Web Developer

  15. #15
    SitePoint Enthusiast
    Join Date
    Jul 2000
    Posts
    32
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi Robo,

    I've just read your post and I have the following comments:

    I have several sites where visitors must choose a username and password to register. I always save the passwords as plain text. A simple script can be made that will retrieve the members lost password using their e-mail address.

    In your case, someone wrote that you can make a script that will generate a new password for the users when they've lost their password. I assume that the only input for the script is the e-mail address. But the disadvantage of this is that any one can change the password of other members just by filling the e-mail address of someone else in the script. Imagine you have a service where the e-mail addresses of all members are visible (like a forum), do you realize the damage that can be done?

    I believe that if you have a members database, you should have the ethics not to look at their passwords.

  16. #16
    midnight coder
    Join Date
    Dec 2000
    Location
    The flat edge of the world
    Posts
    838
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes, I did realize that disadvantage, I just didn't post the updated situation. Thanks to freakysid's link, I'm not using a reversable password encryption, with a key file being outside the web directory. That way the passwords will still be encrypt, so when a cracker/script kiddie gets into the db, the passwords will not be expose. Also, they won't be able to access the keyfile since it's outside the web directory, but I can still decrypt the password and email it back to the user.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •