Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived General Discussion what is the industry standard when it comes to storing passwords?
what is the industry standard when it comes to storing passwords?
  • El Forum
    Guest
  •  
#1
10-14-2007, 02:31 PM

[eluser]Sally D[/eluser]
OK now I need to understand something what is the right way to store passwords in mysql

I did some searching and I came up with a concept called two way encryption where you would do some string manipulation with php and build a sercet key out of the username,lastname,birthdate or what ever and then use that key with the mysql function AES_ENCRYPT() and then store that in a blob field in a mysql database.

You can then retrieve the password with the mysql function AES_DECRYPT() using your secret key which is good because one of the down sides to doing md5($password) is that you can't retrieve it back if its lost or forgotten

There is one problem to the two way encryption method above, and it is that mysql has got to be configured with ssl support. I am not sure how to do that since. I want to start building something like right away I don't feel like modifying the server now.

so can you please tell me what the pro's do when they want to store a password in mysql thanks~
  • El Forum
    Guest
  •  
#2
10-14-2007, 02:39 PM

[eluser]dik_[/eluser]
Not sure about industry standards, but I think that md5-ing the password string, with a pinch of salt, should be OK.

For example, I know for a fact that IPB uses the following formula:

Code:
md5( md5($pass_salt) . md5($password) )

Hope that helps...
  • El Forum
    Guest
  •  
#3
10-14-2007, 03:24 PM

[eluser]Sally D[/eluser]
hey I tried this and it seems to be working

create table users (
uid int(11) not null auto_increment,
username varchar(20),
password blob,
date timestamp,
primary key (uid)
);

insert into users (uid,password) values ('raymondm',des_encrypt('mypassword','mysecretKey'));

and now to get my password unencrypted I so this

select uid,des_decrypt(password,'mysecretKey') from users;


hey this works is it good should I start building my php algorithm to build a secret key from the user data that gets submitted before the user registers


Thanks~ I am kinder having a little trouble understanding salt you put it on before storing the md5 string to make it more unique I am guessing
  • El Forum
    Guest
  •  
#4
10-14-2007, 04:45 PM

[eluser]danoph[/eluser]
I believe the industry standard is how dik_ explained, md5'ing the password with a pinch of salt. Why be liable for personal information if you don't have to!

With md5, you can't retrieve passwords, but this is how many companies do it. When you forget your password, you can go through a reset process, e-mailing the user a reset code, then when they click the link in their e-mail with the reset password, their password is reset to a temporary one.
  • El Forum
    Guest
  •  
#5
10-14-2007, 06:07 PM

[eluser]Sally D[/eluser]
I just have a few more questions before I really understand please thank you so far.

1) what is the salt made from is it just a random string that you generate and then concatenate the users pass word to it?

2) Do you store the salt in the users table?

3) And when the user goes to log in how do you concatenate the salt back onto the md5 encrypted password to get a match from the database to set a session for the user?

4) do you make the salt out of an algorithm like the 3rd letter of the users first name and the second digit of there birthday or something how can it be the same thing every time?
  • El Forum
    Guest
  •  
#6
10-14-2007, 06:31 PM

[eluser]dik_[/eluser]
Not sure what you mean in 3), but the salt can be any randomly generated string which is stored in the DB.
  • El Forum
    Guest
  •  
#7
10-14-2007, 10:22 PM

[eluser]Sally D[/eluser]
I got one question for all you Professionals out there using md5 for pass words and that is

AES_ENCRYPT() and AES_DECRYPT() were added in MySQL 4.0.2, and can be considered the most cryptographically secure encryption functions available in MySQL.

Why the hell you ain't using it then
  • El Forum
    Guest
  •  
#8
10-14-2007, 11:13 PM

[eluser]Michael Wales[/eluser]
I think SHA1 (the default option for the dohash() function within the Security helper is a growing standard for storing passwords (with a pinch of salt), just because it is less likely to cause a collision than MD5 is. Although, collision have already been found for SHA1...
  • El Forum
    Guest
  •  
#9
10-16-2007, 10:01 AM

[eluser]kgill[/eluser]
[quote author="Raymondm" date="1192440141"]I got one question for all you Professionals out there using md5 for pass words and that is

AES_ENCRYPT() and AES_DECRYPT() were added in MySQL 4.0.2, and can be considered the most cryptographically secure encryption functions available in MySQL.

Why the hell you ain't using it then[/quote]

Simple, if you can decrypt it so can anyone else, that encryption is only as secure as the key and if your code is decrypting passwords you're storing the key somewhere on your file system. So all any attacker needs to do is gain access to your system and you just handed them everyone's password. If you use a hash function like MD5 that password only goes one way and the attacker has to resort to brute force methods to take the hash and convert it back to a password, provided you've implemented decent password restrictions it's going to take a fair bit of work to find a match.

- K
  • El Forum
    Guest
  •  
#10
10-16-2007, 10:38 AM

[eluser]Michael Wales[/eluser]
See my post on handling forgotten passwords - it's slightly off topic but inherently covers a few topics that may be of interest.

For example, if you can send the user their password (ie. decrypt it), you are insecure and should rethink your storage logic.




Theme © iAndrew 2016 - Forum software by © MyBB