How people stores the password in database?

Forum Moderators: coopster

Message Too Old, No Replies

How people stores the password in database?

jeephp

10:15 am on Jul 20, 2005 (gmt 0)

Hi,
I need some help with storing password in mysql database or something similar.

i used to store the password in database using md5() function but there is no way to retrieve the

password back.

Now i want to know that -
is it standard and secure way to store password?
is there any other technique to store password so i can retrive it back?

Any advice on this would be highly appreciated.

Thanks
Paresh

DoppyNL

10:21 am on Jul 20, 2005 (gmt 0)

I use md5 to store the password in the database (and some other fancy stuff), so it isn't retrievable.
When someone logs in, I encrypt the password they pass along and compare the result with the value in the database.

When someone loses their password, they will have to reset it using a form and a email send to the emailadres of their account.

This is pretty standard.

I don't see any reason on why I should be able to retrieve the password from the database, I don't want to know their passwords :P.
I allready check if the password is complex enough when they create one :P

Why would you want to retrieve the password?

victor

1:33 pm on Jul 20, 2005 (gmt 0)

DoppyNL's advice is sound .... You really do not want passwords that can be retrieved.

If you have a function that retrieves passwords, what happens if that gets hacked or stolen? You've just compromised all your users' data. That is not good PR, and may leave you liable for their costs, and possibly a charge of criminal negligence.

At the very least, if you do have retrievable passwords, ensure your insurance company and all investors/stakeholders are aware of the risk you are taking on their behalf.

coopster

1:44 pm on Jul 20, 2005 (gmt 0)

This discussion regarding a 'Forgotten password' script [webmasterworld.com] may provide a bit more understanding.