/    Sign up×
Community /Pin to ProfileBookmark

How can I secure paswords saved in MySQL database? hash?

Copy linkTweet thisAlerts:
Jun 25.2007

I have a form where people register and their info (including username and password) is saved in the database. Some of my friends told me to save the hash of the password not the password itself to protect against any hack trial if the hacker got access to the database. Is that effective? If the hacker got access to the database, he cam simply generate the hash of a new password and save it in the database, right?
And, using the hash makes it not easy to recover the password! How can I give the users the ability to recover passwords?

to post a comment
PHP

5 Comments(s)

Copy linkTweet thisAlerts:
@MrCoderJun 25.2007 — You should look at using MD5 with SALT, you never let them recover there password, just issue them a new one via e-mail or some other form of secure delivery.

You use a hash on a password to protect the users from having there passwords stolen, not to protect your database from being hacked.
Copy linkTweet thisAlerts:
@mesh2005authorJun 26.2007 — Thank you for your reply. Just I don't understand what is mean by protecting their password from being stolen? How is that going to happen if the database was not hacked?
Copy linkTweet thisAlerts:
@bluestarsJun 28.2007 — Alright. If they database is compromised -- hacked -- (or you peek), plaintext (unhashed) passwords can be seen by everyone. Hashed passwords, however, are one way. It's literally impossible to take the hashed form of the password and change it back into the plain english form.

So, hashing won't stop anyone from breaking in -- it'll stop them from stealing user passwords, which is good for the users.

If they have access to the DB, they can change the passwords, but they won't get them, which makes users feel good. People use the same password on more than one site, so they don't like it when they get stolen.

I know in particular, AOL keeps the passwords in plaintext (or in reversable encryption). When you use their forgotten password function, they send you your password.

That function is actually supposed to generate a new random password and email it to the user.
Copy linkTweet thisAlerts:
@MrCoderJun 29.2007 — It's literally impossible to take the hashed form of the password and change it back into the plain english form.[/QUOTE]

Never heard of rainbow tables?

Thats why you use salt.
Copy linkTweet thisAlerts:
@bluestarsJun 29.2007 — That's a lookup. You're not converting it back, you're comparing them to see if it matches. Just like guessing a ton of passwords.

That said, he's right. There's no such thing as "impossible".
×

Success!

Help @mesh2005 spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.18,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...