I have read about using MySQL AES_ENCRYPT/AES_DECRYPT (two-way encryption) is less secure than using PHP - hash() (one-way encryption).
Is it true that it is more secure that ‘Rather than send the User his password, simply send him a link that he can click on to reset his password, instead.’?
And on top of that, if I am using MySQL AES_ENCRYPT/AES_DECRYPT (which I quite keen on…), how do I define the key which can be accepted by MySQL? for instance, is the length of the key important? or can I simple use ‘123123@123123’ as my key?
“one-way encryption” is not encryption, just FYI. Furthermore, it is not automatically “secure” it is only as secure as what you feed it. For example lookup “Rainbow Tables”. You will want to read the various details, starting here: http://en.wikipedia.org/wiki/Cryptographic_hash_function and branching off to more credited sources.
And the key you use for AES is very important. With a strong key decrypting AES without it is near impossible for anyone without access to every computer in the world.
One-way encryption (hashing) is much more secure. If you use a good hashing algorithm (one for which no collisions have been found yet), retrieving the original value is all but impossible. This means that if your database has been compromised, the passwords of all your users are still safe. If the value can be decrypted, it is only a matter of time before the passwords are available to the attacker.
