Forum Moderators: mack
I was reading up on making a members only website. However, I noticed that the passwords were merely CHAR(255), yet all the other text fields were either CHAR or VARCHAR as well. Shouldn't there be something more to it to stop administrators from viewing user passwords? So I guess my questions are..
1) Does mySQL encode data at all since it's server-side, as opposed to inside the public_html folder?
2) Are password fields merely char fields and nothing more, no more precautions to be taken?
Thanks for your help,
-EMAN
2) Are password fields merely char fields and nothing more, no more precautions to be taken?
- There are better options for storing passwords, as below.
BETTER OPTIONS FOR STORING PASSWORDS:
Encrypt it yourself
-------------------
Encrypt passwords before storing them using some sort of encryption. Then when you need to retreive the password, decrypt it.
Easy, Really Secure Way
-----------------------
Use a one-way hash to encrypt the password (i.e. it cannot be decrypted). Then, when a user enters his/her password, encrypted it using the same method, and compare the result with the stored encryped password.
Good news is, there's an easy way to do the above using PHP - using the md5 function for MD5 encryption and storing it in a varchar(32):
www.php.net/md5
The only downside to this is that you can't send the user a lost password. However, I found it's better to reset the password anyways (and send it to the registered email address)...
-EMAN
