visitor (0 QPoints)
  • FR
  • EN
  • NL
  • DE
  • ES
315 experts, 1193 registered users, 1659 questions already answered
European Experts Exchange, the very best site for high-quality IT solutions

New Improved Search!

 


05/10/2011 1h30 : Steve Jobs is dead, the father of Apple ][ is gone, we are all orphaned.

Databases :: MySql :: Question regarding the storing of passwords
By: lwinkenb U.S.A.  Date: 05/09/2003 00:00:00  English  Points: 100 Status: Answered
Quality : Excellent
Im still a little new to mysql, and I have a question regarding passwords.

Basically I have a table that contains two columns - one of a username and one of a password.
username VARCHAR(25)
password VARCHAR(25)

I have decided that I dont want to store the passwords in plain text on the database, I want to store them encrypted somehow. How do I do this, and how do I check to see if the plain text password matches the encrypted one?
By: VGR Date: 06/09/2003 00:59:00 English  Type : Answer
use the standard PASSWORD() function to store and test the user-input clear-text pasword the same.

this performs just a digest (MD5) but is enough usually

so :

insert into yourtable values('theusername',PASSWORD('thepassword'));

and to validate a login :

SELECT * FROM yourtable WHERE username='theusername' and password=PASSWORD('thepassword');


ok?
By: Squibi Date: 06/09/2003 11:02:00 English  Type : Assist
Using the PASSWORD function will not be future-proof.

Quoted from the MySQL reference manual (<A HREF="http://www.mysql.com/doc/en/Password_hashing.html">http://www.mysql.com/doc/en/Password_hashing.html</a>):

"An upgrade to MySQL 4.1 can cause a compatibility issue for applications that use PASSWORD() to generate passwords for their own purposes. (Applications really should not do this, because PASSWORD() should be used only to manage passwords for MySQL accounts. But some applications use PASSWORD() for their own purposes anyway.) If you upgrade to 4.1 and run the server under conditions where it generates long password hashes, an application that uses PASSWORD() for its own passwords will break."

As such, it is better to use the MD5() or SHA1() functions in place of the PASSWORD() function in VGR's example above.

Regards,
By: lwinkenb Date: 06/09/2003 12:11:00 English  Type : Comment
Thanks for the help guys.
By: VGR Date: 07/09/2003 05:00:00 English  Type : Comment
I didn't know this

I don't see why using MD5() is better, because PASSWORD() IS A MD5 DIGEST
By: Squibi Date: 07/09/2003 05:41:00 English  Type : Comment
PASSWORD() has been changed in 4.1 (see the link I provided) and does not produce the same hash if used twice on the same string, therefore using it in an authentication scheme will cause it to fail under 4.1+ The hash is also quite a bit wider in 4.1+

In any case, stop using PASSWORD() except for MySQL internal password purposes.
By: VGR Date: 07/09/2003 18:08:00 English  Type : Comment
that's 99,99% the case already. I'm no fool :D I design my own encryption mechanisms for my own applications

exactly to escape those "that function has been changed in version blah-bla-blah" :D
By: VGR Date: 07/09/2003 18:10:00 English  Type : Comment
BTW, I don't see the point in this :

password hashes in the new format always begin with a `*' character, whereas passwords in the old format never do

as distinguishing the two formats could have been done on the length of the hash (16 versus 40), I don't see the point in adding a fixed character in the heading of the "new hashes" to make it 41 long

anybody's ideas ?
By: Squibi Date: 07/09/2003 18:11:00 English  Type : Comment
Hehe, good point. I guess you could argue that it is faster to read the first character of a string rather than get the length.
By: VGR Date: 07/09/2003 18:18:00 English  Type : Comment
reading a byte (index 0) or getting the length is exactly the same when using Pascal-style strings (ie, 255 characters max in length), so-called "short strings" in Delphi :D

anyway, there's no point in argueing on this. People using a 4.1+ server will need a 4.1+ client, full dot.

Do register to be able to answer

©2010 These pages are served without commercial sponsorship. (No popup ads, etc...). Bandwidth abuse increases hosting cost forcing sponsorship or shutdown. This server aggressively defends against automated copying for any reason including offline viewing, duplication, etc... Please respect this requirement and DO NOT RIP THIS SITE.
Please DO link to this page! Post to Twitter Post to Plurk Post to Yahoo Buzz Post to Delicious Post to Digg Post to Facebook Post to MySpace Post to Ping.fm Post to Reddit Post to StumbleUpon

EContact
browser fav
page generated in 297.044040 milliseconds

Why Google AdSense ads ?
compteur
 Ranking-Hits PageRank for this page