password encode and decode ?

Re: password encode and decode ?

Jay wrote:[color=blue]
> Is there any other ways that I can still encrypt a password, save it
> in the database and still able to see it later (instead of a string of
> junk) ?
>
> PS: the reason I am writing this question is because I like to write a
> feature that will e-mail the user his/her password to his/her e-mail
> if he/she doesn't remember the password to log in the system.[/color]

Instead of mailing the current password, create a new random password
and save it encrypted to the database.

When the user next logs on, he will be able to change the password to
something s/he likes better.

--
USENET would be a better place if everybody read: : mail address :
http://www.catb.org/~esr/faqs/smart-questions.html : is valid for :
http://www.netmeister.org/news/learn2quote2.html : "text/plain" :
http://www.expita.com/nomime.html : to 10K bytes :

Re: password encode and decode ?

If you can decrypt it, then what would be the point of encrypting it.

If your user forgets their password, set a new one, send an email to the
email address you have stored for them, request they login with the new
password and change it.

You can either send the new password in plain text or follow a link from the
email which will auto log them in.


"Jay" <artlover70@yah oo.com> wrote in message
news:5668e569.0 405022242.40eeb 2d@posting.goog le.com...[color=blue]
> Hi everybody !
>
> I've used the "crypt()" function in PHP to save password of a user
> logging in a web-based system. Based on a book that I've read (PHP
> advanced by Larry UllMan), there is no way that we can recover
> (decode) the password once it is encrypted.
>
> Is there any other ways that I can still encrypt a password, save it
> in the database and still able to see it later (instead of a string of
> junk) ?
>
> PS: the reason I am writing this question is because I like to write a
> feature that will e-mail the user his/her password to his/her e-mail
> if he/she doesn't remember the password to log in the system.
>
> Any help would be greatly appreciated !!!!
>
> Jay[/color]

Re: password encode and decode ?

If you want details of a reversible encryption routine for PHP then take a
look at http://www.tonymarston.net/php-mysql/encryption.html.

--
Tony Marston




"Jay" <artlover70@yah oo.com> wrote in message
news:5668e569.0 405022242.40eeb 2d@posting.goog le.com...[color=blue]
> Hi everybody !
>
> I've used the "crypt()" function in PHP to save password of a user
> logging in a web-based system. Based on a book that I've read (PHP
> advanced by Larry UllMan), there is no way that we can recover
> (decode) the password once it is encrypted.
>
> Is there any other ways that I can still encrypt a password, save it
> in the database and still able to see it later (instead of a string of
> junk) ?
>
> PS: the reason I am writing this question is because I like to write a
> feature that will e-mail the user his/her password to his/her e-mail
> if he/she doesn't remember the password to log in the system.
>
> Any help would be greatly appreciated !!!!
>
> Jay[/color]

Re: password encode and decode ?

Thanks for everybody's helps !!!

I got the idea !

Jay

Re: password encode and decode ?

Just to say... If you guys really want to learn about programming from a
'real' programmer please visit the Tony Marton site.

Thanks a lot Tony

"Tony Marston" <tony@NOSPAM.de mon.co.uk> wrote in message
news:c754vp$pqr $1$8302bc10@new s.demon.co.uk.. .[color=blue]
> If you want details of a reversible encryption routine for PHP then take a
> look at http://www.tonymarston.net/php-mysql/encryption.html.
>
> --
> Tony Marston
>
> http://www.tonymarston.net
>
>
> "Jay" <artlover70@yah oo.com> wrote in message
> news:5668e569.0 405022242.40eeb 2d@posting.goog le.com...[color=green]
> > Hi everybody !
> >
> > I've used the "crypt()" function in PHP to save password of a user
> > logging in a web-based system. Based on a book that I've read (PHP
> > advanced by Larry UllMan), there is no way that we can recover
> > (decode) the password once it is encrypted.
> >
> > Is there any other ways that I can still encrypt a password, save it
> > in the database and still able to see it later (instead of a string of
> > junk) ?
> >
> > PS: the reason I am writing this question is because I like to write a
> > feature that will e-mail the user his/her password to his/her e-mail
> > if he/she doesn't remember the password to log in the system.
> >
> > Any help would be greatly appreciated !!!!
> >
> > Jay[/color]
>
>[/color]

Re: password encode and decode ?

Pedro Graca <hexkid@hotpop. com> wrote in message news:<c7513h$ib geb$1@ID-203069.news.uni-berlin.de>...[color=blue]
> Jay wrote:[/color]

<snip>
[color=blue]
> Instead of mailing the current password, create a new random password
> and save it encrypted to the database.[/color]

I vouch Pedro and it is the good practice. If the passwords can be
decrypted, you _may_ not be able to get privacy certifications for
example <http://www.truste.org/>

--
| Just another PHP saint |
Email: rrjanbiah-at-Y!com

Re: password encode and decode ?

You are missing the point. These passwords are encrypted when being written
to the database and have nothing to do with encrypting passwords between the
client browser and the server. As both the database and PHP are server-side,
not client-side, it does not matter what encryption algorithm it uses, or if
it offers a decryption routine. These passwords are only visible to people
who have access to the database on the server, but if these passwords are
encrypted then that is an extra level of security at the server end.

--
Tony Marston





"R. Rajesh Jeba Anbiah" <ng4rrjanbiah@r ediffmail.com> wrote in message
news:abc4d8b8.0 405032232.3758e 345@posting.goo gle.com...[color=blue]
> Pedro Graca <hexkid@hotpop. com> wrote in message[/color]
news:<c7513h$ib geb$1@ID-203069.news.uni-berlin.de>...[color=blue][color=green]
> > Jay wrote:[/color]
>
> <snip>
>[color=green]
> > Instead of mailing the current password, create a new random password
> > and save it encrypted to the database.[/color]
>
> I vouch Pedro and it is the good practice. If the passwords can be
> decrypted, you _may_ not be able to get privacy certifications for
> example <http://www.truste.org/>
>
> --
> | Just another PHP saint |
> Email: rrjanbiah-at-Y!com[/color]

Re: password encode and decode ?

[Top-post fixed]

"Tony Marston" <tony@NOSPAM.de mon.co.uk> wrote in message news:<c77ggf$8k q$1$8302bc10@ne ws.demon.co.uk> ...[color=blue]
> "R. Rajesh Jeba Anbiah" <ng4rrjanbiah@r ediffmail.com> wrote in message
> news:abc4d8b8.0 405032232.3758e 345@posting.goo gle.com...[color=green]
> > I vouch Pedro and it is the good practice. If the passwords can be
> > decrypted, you _may_ not be able to get privacy certifications for
> > example <http://www.truste.org/>
> >[/color]
> You are missing the point. These passwords are encrypted when being written
> to the database and have nothing to do with encrypting passwords between the
> client browser and the server. As both the database and PHP are server-side,
> not client-side, it does not matter what encryption algorithm it uses, or if
> it offers a decryption routine. These passwords are only visible to people
> who have access to the database on the server, but if these passwords are
> encrypted then that is an extra level of security at the server end.[/color]

I was talking about the privacy and the right practice... If the
encrypted password that is stored in db can be decrypted by the site
admin, you lose your privacy. For the right privacy requirement, your
password should not be accessible/decrypted *even* by the site admin.

--
| Just another PHP saint |
Email: rrjanbiah-at-Y!com

Re: password encode and decode ?

Tony Marston <tony@nospam.de mon.co.uk> wrote:[color=blue]
> You are missing the point. These passwords are encrypted when being
> written to the database and have nothing to do with encrypting
> passwords between the client browser and the server. As both the
> database and PHP are server-side, not client-side, it does not matter
> what encryption algorithm it uses, or if it offers a decryption
> routine.[/color]

This is not what the OP was asking about. He was clearly asking how to
decrypt a password inorder to sent it by email to a user.
[color=blue]
> These passwords are only visible to people who
> have access to the database on the server, but if these passwords are
> encrypted then that is an extra level of security at the server end.[/color]

Sending a decrypted password to users adds extra vulnerabilities , a user
might have the same password on other systems. So if someone can fool
the application to send the old password it's potentially more dangerous
than sending a new random password.

--

Daniel Tryba