Welcome to WebmasterWorld Guest from 54.162.164.86

Forum Moderators: coopster & jatar k & phranque

Message Too Old, No Replies

How to encrypt/decrypt passwords using MySQL & Perl

     

navdeeptalwar

8:29 am on Jul 14, 2003 (gmt 0)

Inactive Member
Account Expired

 
 


I had saved the passwords which the user had entered on registration in MySQL using the password() function of MySQL. But I am not able to compare it when the user tries to logon.
Are there any other methods of encrypting and decrypting values at server side?
9:47 am on July 14, 2003 (gmt 0)

Preferred Member

10+ Year Member

joined:May 15, 2001
posts:462
votes: 0


Hi and welcome to WW,

Rather than encrypting and decrypting you probably just want to store the encrypted version. When someone logs on encrypt their password using the same function and compare the encryptewd string to the on you have in your DB.

Cheers

9:49 am on July 14, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Jan 7, 2003
posts:1230
votes: 0


hi navdeeptalwar, welcome to webmasterworld [webmasterworld.com].

it's always a good thing to take a look in the manual first:

PASSWORD() encryption is non-reversible. PASSWORD() does not perform password encryption in the same way that Unix passwords are encrypted. See ENCRYPT(). Note: The PASSWORD() function is used by the authentication system in MySQL Server, you should NOT use it in your own applications. For that purpose, use MD5() or SHA1() instead. Also see RFC-2195 for more information about handling passwords and authentication securely in your application.

nevertheless i found an example [weberdev.weberdev.com] of someone who is using this function for password verification.

- hakre.

6:50 am on July 19, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member drdoc is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 15, 2002
posts:6807
votes: 0


Welcome to Webmaster World!

To be frank - you do not want to decrypt a password. Even if you had a working solution, it would greatly harm your security.

Instead, follow Robber's suggestion.

The crypt function would work really well. The following solution uses the first two letters of the password as salt. Finally, it only returns the last 11 characters (since the first two are the salt as plain text:

$cryptpwd = substr(crypt($pwd,substr($pwd,0,2)),2);

Now, store this value in your database. When someone logs in, simply encrypt the password the same way and compare it to the database value.