Tramadol Antidepressant Buy Tramadol By Check Best Price On Tramadol 150 Tramadol Canine Overdose Tramadol What Does The Pill Tramadol Do What Is Tramadol Medicine Tramadol No Prescription Tramadol C.o.d. What Chemicals Are In Tramadol Tramadol And Flexeril Tramadol Contain Morphine Tramadol And Alcohol Is Tramadol A Scheduled Drug Tramadol C O D Very Cheap Tramadol Cod Tramadol Free Express Saver What Is Tramadol Use For Tramadol 60 Tablets Cheap Tramadol Cod Shipping Urine Drug Testing Of Tramadol Tramadol Sent Cod Tramadol Search Description Pill Tramadol 50mg Description Tramadol Ultram Detox Ultram Zoloft Does Ultram Make You Feel High Is Ultram Addicting Ultram Ingredients
« Mentioned on the Pro::PHP Podcast
The Evil System Administrator »

MySQL: Storing Passwords in MySQL

MySQL: Storing Passwords in MySQL

An interesting write up on a MySQL’s encryption possibilities. I have to admit it - been using PASSWORD() to encrypt my passwords and found out I shouldn’t be. Guess I need to stop that and try out the other possibilities presented here.

He goes over SHA1, MD5, AES and briefly, at the end, touches on DES.

del.icio.us:MySQL: Storing Passwords in MySQL  digg:MySQL: Storing Passwords in MySQL  furl:MySQL: Storing Passwords in MySQL  reddit:MySQL: Storing Passwords in MySQL

This entry was posted on Monday, August 21st, 2006 at 10:41 pm and is filed under General, MySQL, database. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

3 Responses to MySQL: Storing Passwords in MySQL

  1. Ryan :
    August 23rd, 2006 at 1:29 pm

    I used to use PASSWORD() but recently have been using MD5. I’ve been trying to move away from MD5 because if people store weak passwords someone armed with the hash could just go to a MD5 reverse lookup table and there’s a good chance that that person will then have your password. So SHA1 has been the alternative, but AES is actually a new one to me and definitely something that I need to look into. Thanks for pointing it out.

  2. notjosh :
    August 25th, 2006 at 1:56 am

    (mostly @Nick)

    Not that I really read the article, but you need to keep in mind that AES/DES/3DES are encryption and not hashing. SHA1/MD5 are hashes. Encryption can be reversed (via a key), hashing can not - hashing is more secure in that respect.

    Personally, I just using hashing (SHA1 password stored with a MD5 salt). If a user needs their password back, they can reset it.. I’m not sending them their password (i.e. decrypting and sending..).

    So, just to clear up my method - I don’t know if it’s best practice or even advised, but what I do is..
    1. Create an MD5 hash of..something ‘random’ (can be simply just time() if you want) as a salt.
    2. Create a SHA1 hash of the password concatenated with the MD5 salt.
    3. Store the SHA1 and MD5 hashes in the database.

    The benefit of this technique is that two users with the same password will have different password hashes thanks to the salt. It’s a little bit more tedious to code and slightly more expensive to perform, but I think it’s worth it!

    Hell, if you’re super paranoid, you can append your own ‘key’ string to the end of the string that is hashed by SHA1.. I find keys pretty pointless though (hence my dislike for AES/DES/3DES) in PHP apps especially. Each to their own, I guess!

  3. notjosh :
    August 25th, 2006 at 1:57 am

    Aha P.S. Who is Nick? Never mind me.. I need more sleep I think.

Leave a Reply