Recommned method for passwords

Re: Recommned method for passwords

David Jackson wrote:
[color=blue]
> Howday what's the recommended (and most direct) way to handled
> encrypted passwords?
>
> 1. DB specific password statements (ie. MySQL PASSWORD()).
> 2. PHP md4 or mcrypt?
>
> What about type and size for encrypted password fields?
>
> I've seen some post that suggested binary storage, and applications
> that used text field type for username and password?
>
> TIA,
> David[/color]

I used md5() which gives a 32char fixed length string though now I use
sha1() instead (it gives 40character fixed length).

I have also created a function to hash the users password with a word
that I've hardcoded into the script; for example

<?
function makeHash($strin g)
{ $ourHash=sha1(s trtolower("secr et$string"));
return ("$ourHash") ;
}

$testHash="one two three four";
$ourHash=makeHa sh($testHash);
?>

I store the hash - they are (I believe) near impossible to reverse...
Then, to check if a user has supplied a correct password, I re-hash it
and compare it against whatever I had stored in my database.

Does that make sense?

randelld

Re: Recommned method for passwords

>[color=blue]
> I used md5() which gives a 32char fixed length string though now I use
> sha1() instead (it gives 40character fixed length).
>
> I have also created a function to hash the users password with a word
> that I've hardcoded into the script; for example
>
> <?
> function makeHash($strin g)
> { $ourHash=sha1(s trtolower("secr et$string"));
> return ("$ourHash") ;
> }
>
> $testHash="one two three four";
> $ourHash=makeHa sh($testHash);
> ?>
>
> I store the hash - they are (I believe) near impossible to reverse...
> Then, to check if a user has supplied a correct password, I re-hash it
> and compare it against whatever I had stored in my database.
>
> Does that make sense?
>
> randelld[/color]
Randelid --
Thanks for your reply.
Would it be to much to ask for a complete example.

TIA,
David

Re: Recommned method for passwords

Storing it in a DB-specific format limits the portability of your app. I
myself use md5() and store it into a varchar(32).

Remember, password encryption, for the most part, isn't a measure against
outer hackers. It's a measure against yourself and your co-workers. So
unless you work with John Nash, almost any method should suffice--perhaps
even a humble crc32.

Uzytkownik "David Jackson" <trashcan@musta rdandrelish.com > napisal w
wiadomosci news:58bcf8ad.0 402202234.37c31 4d8@posting.goo gle.com...[color=blue]
> Howday what's the recommended (and most direct) way to handled
> encrypted passwords?
>
> 1. DB specific password statements (ie. MySQL PASSWORD()).
> 2. PHP md4 or mcrypt?
>
> What about type and size for encrypted password fields?
>
> I've seen some post that suggested binary storage, and applications
> that used text field type for username and password?
>
> TIA,
> David[/color]

Re: Recommned method for passwords

Chung Leong wrote:
[color=blue]
> Storing it in a DB-specific format limits the portability of your app. I
> myself use md5() and store it into a varchar(32).[/color]

Howdy!

Question: if you're storing md5 hashes they're always going to be a
fixed length... so why not store 'em as a char(32) instead of
varchar(32)? Granted, the performance inrease wouldn't necessarily be
earth-shattering... =)

Regards,

- Dan

Re: Recommned method for passwords

David Jackson wrote:[color=blue][color=green]
>>I used md5() which gives a 32char fixed length string though now I use
>>sha1() instead (it gives 40character fixed length).
>>
>>I have also created a function to hash the users password with a word
>>that I've hardcoded into the script; for example
>>
>><?
>>function makeHash($strin g)
>>{ $ourHash=sha1(s trtolower("secr et$string"));
>> return ("$ourHash") ;
>>}
>>
>> $testHash="one two three four";
>> $ourHash=makeHa sh($testHash);
>>?>
>>
>>I store the hash - they are (I believe) near impossible to reverse...
>>Then, to check if a user has supplied a correct password, I re-hash it
>>and compare it against whatever I had stored in my database.
>>
>>Does that make sense?
>>
>>randelld[/color]
>
> Randelid --
> Thanks for your reply.
> Would it be to much to ask for a complete example.
>
> TIA,
> David[/color]


I don't know what area you're stuck at - Are you familiar with MySQL?
Are you able to INSERT (write) and SELECT (read) data from a database?
If you're not so sure on the database side of things, then I'll have to
create some code to help you create a table, then perform an insert (to
write the username/passwords), the code to verify and change passwords.

I might try this later, but I don't want to do it unless I'm really sure
I know what it is you want when you ask for a 'complete example'.

randelld

Re: Recommned method for passwords

"Chung Leong" <chernyshevsky@ hotmail.com> wrote in message news:<sqWdncY3y ZT9-qrdRVn-sA@comcast.com> ...[color=blue]
> Storing it in a DB-specific format limits the portability of your app. I
> myself use md5() and store it into a varchar(32).
>
> Remember, password encryption, for the most part, isn't a measure against
> outer hackers. It's a measure against yourself and your co-workers. So
> unless you work with John Nash, almost any method should suffice--perhaps
> even a humble crc32.[/color]

I know of at least one company I deal with where an account was
compromised for the support staff. This account allowed anyone to
view any table in the database, unfortunately they had clear text
passwords.

....then again I also encrypt almost all of the data in my database
individually using 3DES, I generally don't want to know what people
are entering.

/s/ WP

Re: Recommned method for passwords

Hello,
Also interested in this topic. I'd like to authenticate users against a
file and not a database. I've tried an apache-generated htpasswd and
htdigest file, but haven't got anywhere. If your example could work with
this i would be very interested in it.
Thanks.
Dave.