/    Sign up×
Community /Pin to ProfileBookmark

securing passwords…

Copy linkTweet thisAlerts:
May 24.2006

hi,
i am new to php.i am trying to create user registration form. i want to encrypt the password. My friend told me to use MD5().but i dont know how to use it.
And how should i store in the password in the database? ?

to post a comment
PHP

16 Comments(s)

Copy linkTweet thisAlerts:
@NogDogMay 24.2006 — What database system are you using (e.g.: MySQL, MS SQL, Oracle, etc.)?
Copy linkTweet thisAlerts:
@jenyauthorMay 24.2006 — hi,

i am using mysql.
Copy linkTweet thisAlerts:
@NogDogMay 24.2006 — MySQL has a password() function you can use to do the encryption. When you store the password, the query might be something like:
[code=php]
$query = <<<EOD
INSERT INTO table_name (login, password)
VALUES ('{$_POST['login']}', PASSWORD('{$_POST['password']}'))
EOD;
[/code]
Then, when you want to validate a password from the login form:
[code=php]
$query = <<<EOD
SELECT * FROM table_name
WHERE login = '{$_POST['login']}' AND password = PASSWORD('{$_POST['password']}')
EOD;
[/code]
Copy linkTweet thisAlerts:
@jenyauthorMay 24.2006 — thanks,

can u please tell me wht is the use of MD5()?
Copy linkTweet thisAlerts:
@NogDogMay 24.2006 — MD5 is a one-way encryption algorithm (essentially the same sort of thing that the PASSWORD function does in MySQL). If you wanted to use it instead, then you would encrypt the input password within your PHP script before inserting it into the database or querying it.
[code=php]
$encryptedPassword = md5($_POST['password']);
$query = <<<EOD
INSERT INTO table_name (login, password)
VALUES ('{$_POST['login']}', '$encryptedPassword'
EOD;
[/code]
Copy linkTweet thisAlerts:
@jenyauthorMay 24.2006 — Thanks, if i am going to use md5() to encrypt the password and store it in the database, and my question is "how to decrypt this password?" if it needs to decrypt it...
Copy linkTweet thisAlerts:
@NogDogMay 24.2006 — You cannot decrypt it, md5 is "one-way" encryption. (Actually, it creates a "hash" value from the supplied string, but don't worry about that.) What you do is use the same md5 function to encrypt the user's password when he logs in, then compare that to the already encrypted value in the database:
[code=php]
$encryptedPassword = md5($_POST['password']);
$login = $_POST['login'];
$query = "SELECT * FROM table_name WHERE login = '$login' AND `password = '$encryptedPassword'";
$result = mysql_query($query) or die(mysql_error());
if(mysql_num_rows($result))
{
// found a match for login and password
}
else
{
// login/password combination is not in database
}
[/code]
Copy linkTweet thisAlerts:
@NogDogMay 24.2006 — PS: make sure your password field is a 32-character varchar field, as that is the length of the string returned by the md5() function.
Copy linkTweet thisAlerts:
@jenyauthorMay 24.2006 — i got more frm ur reply, but what i am asking is " 'if the user forget the password, admin should send the password to him' in admin panel i can take only the encrypted password from the database not the original password. then how will admin send the password to the user?".

expecting more from u....
Copy linkTweet thisAlerts:
@jenyauthorMay 24.2006 — hi all,

Can any one please help me to decrypt & display the encrypted password(using md5()) from the database....

thanks in advance
Copy linkTweet thisAlerts:
@jonraMay 24.2006 — PS: make sure your password field is a 32-character varchar field, as that is the length of the string returned by the md5() function.[/QUOTE]
haha - I've failed to do that before and spent an hour trying to figure out why my logins didn't work :p

hi all,

Can any one please help me to decrypt & display the encrypted password(using md5()) from the database....

thanks in advance[/QUOTE]

Jeny - Ok, I'll give you the method I use for this particular issue.

You can't decrypt any MD5() values, it's one-way only. So, you can send the password through it to originally enter it into the DB, and you can once again send the password through it (it being md5) to validate if the password is good... but, you can't display the original text-value that the password was.

There are 2 ways you can go about this.

1) If a user forgets a password, you can build them a 'reset password' form where you have them enter an email address into a form, validate that the email address matches, and send a new randomly generated password to their email account. Otherwise, you can give them the option to enter their own password - Simply validate the email address, send them a link to a 'create new password' form in their email, and run whatever they type into the 'new password' field through md5, and send it through to MySQL as an update.

2) Create a separate table in your DB storing only 2 values... The userID as a foriegn key, and the original plain-text version of their password. When they (or you) setup a new user through your php form, simply take the original password they entered, and store it into the 'plainTable' (holding the plain text password), and then run it through md5 to store into the main user table. Then, when they (or you) need to know the password, you simply grab the userID and query the plainText table for the original value.

Option 2 obviously has some security risks, but honestly you're pretty safe IMO. The password itself is stored into a separate table, and is only associated to the user by that userID. Someone would really have to tear your app up with injection to find that value. I generally use method number 2.

Hope that helps.
Copy linkTweet thisAlerts:
@jenyauthorMay 25.2006 — thank you jonra
Copy linkTweet thisAlerts:
@BalooJun 07.2006 — You cannot decrypt it, md5 is "one-way" encryption. (Actually, it creates a "hash" value from the supplied string, but don't worry about that.) What you do is use the same md5 function to encrypt the user's password when he logs in, then compare that to the already encrypted value in the database:
[code=php]
$encryptedPassword = md5($_POST['password']);
$login = $_POST['login'];
$query = "SELECT * FROM table_name WHERE login = '$login' AND `password = '$encryptedPassword'";
$result = mysql_query($query) or die(mysql_error());
if(mysql_num_rows($result))
{
// found a match for login and password
}
else
{
// login/password combination is not in database
}
[/code][/QUOTE]
This is not directed against you NogDog, but just a question in general...

Why does everywhere say that md5 is "one-way" encryption, and cant be decrypted? A google search a few days ago for something like "md5 encryption" gave me on the first page a link to a md5 decrypter, which wasn't the aim of the search but nevertheless it came up. I tried it and it works perfectly. I know i am just a n00b, and and know very little about encryption, but i would just really like to know what people [i]actually[/i] mean when they say a md5 hash cannot be decrypted?? It just appears totally untrue to me. ?

Thank you

Baloo ?
Copy linkTweet thisAlerts:
@jonraJun 07.2006 — This is not directed against you NogDog, but just a question in general...

Why does everywhere say that md5 is "one-way" encryption, and cant be decrypted? A google search a few days ago for something like "md5 encryption" gave me on the first page a link to a md5 decrypter, which wasn't the aim of the search but nevertheless it came up. I tried it and it works perfectly. I know i am just a n00b, and and know very little about encryption, but i would just really like to know what people [i]actually[/i] mean when they say a md5 hash cannot be decrypted?? It just appears totally untrue to me. ?

Thank you

Baloo ?[/QUOTE]
I generally assume 'can't be decrypted' means through normal means. There are always applications out there that will hack most encryption algorithms (hasn't SSL been cracked by now even?), but it's still pretty safe to use it. If you're looking at a login form, the decrypter probably doesn't help you at all - I think that a dictionary attack might have more of a chance if that were the case.
Copy linkTweet thisAlerts:
@felgallJun 07.2006 — To make md5 passwords more secure from being broken you should use a "salt" with it. Just add a fixed (but unknown to your users) text string to the front, end , or both of their password before passing it to the md5 function. That way the encrypted value will bear no relationship to the original password.
Copy linkTweet thisAlerts:
@MrCoderJun 08.2006 — You unlock a MD5 hash using a key (password). The password is not stored in the MD5 hence it cannot be reversed.

Some (all?) MD5's may contain multiply unlock keys just because of the way MD5 works.

For example, "password" may unlock the same MD5 hash as "iudhfohdsoihbfoui" even thou the chances of this are stupidly remote.

Look up rainbow tables.
×

Success!

Help @jeny spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.19,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...