Or if you use md5() which encrypts the same way every time you could just get a CD-ROM with a trillion different character combinations that could be valid passwords and encrypt them, then compare the encrypted strings.... With the current hardware available that might take..oh a half a second ro so. So, it's more important to protect the actual SOURCE then the information stored in the source. Of course this is a debate that coudl go on forever, when does hardware encryption rule all? -Brad
"SHEETS,JASON (HP-Boise,ex1)" wrote: > Storing passwords in MD5 or another hash is an excellent idea because it is > generally not possible to decrypt them (if the user uses a bad password they > can be brute forced but you can only do so much). By storing passwords in > MD5 you protect your users passwords, if your database gets cracked their > passwords are still relatively secure. > > You generally should not use a reversible encryption technique to store > something like user passwords, the reason being that in order to decrypt the > passwords you must store the encryption key in your code, when someone gets > access to your code (which they will or at least you must assume they will) > all they have to do is look in your code for your encryption key, after that > decrypting your user's passwords is trivial. The worst thing is most users > use the same password for almost everything that means that many of their > other accounts are now compromised and they may not even know it. It can be > argued the user should use a more secure password and not use the same one > in many places however the user is a being of convenience and is unlikely to > remember more than one password anyway :) > > In short this has been covered probably thousands of times on this list but > I did not want a newer user to make the mistake of using an insecure method > of storing passwords, either putting them in the DB in plain text or using a > reversible encryption technique that is equally insecure because of the > implementation. > > Jason Sheets, CCNA, MCSE > > -----Original Message----- > From: Scott Fletcher [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, October 09, 2002 2:24 PM > To: [EMAIL PROTECTED] > Subject: Re: [PHP] Encrypting passwords in a flat file before import > > I was comparing it to what I was thinking about. Like if the field in the > table (database) have a username and password. Then you encrypt it with > features like this, then how can it be de-crypt if I had like a thousand > users account. It was just a thought in my mind. > > Now based on your responses and feedback. It seem that the md5() is such a > bad idea and instead, using mcrypt function would help. > > "Marco Tabini" <[EMAIL PROTECTED]> wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > I think that generally you do not want passwords to be decryptable. What > > I normally do is try to encrypt whatever the user enters as a password > > and compare the resulting encrypted string with what's in the database > > to make sure they correspond. If the encrypting function is univocal > > (and md5 is) then the correct password will always return the same > > encrypted string. > > > > On Wed, 2002-10-09 at 16:06, Scott Fletcher wrote: > > > Can it be de-encrypt??? I don't see how since you just use the function > > > md5(). > > > > > > "Marek Kilimajer" <[EMAIL PROTECTED]> wrote in message > > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > If you don't need the file to be changed to contain md5 encrypted > > > > passwords use *fgetcsv() *to read the contenta, > > > > then use *md5()* on the password and insert it into database using > > > > mysql_query. No need to write a new file. > > > > > > > > Verdon Vaillancourt wrote: > > > > > > > > >Hi, > > > > > > > > > >I hope this question isn't too basic... > > > > > > > > > >I have a flat file (CSV) that I want to import into a mySQL db via > > > > >phpMyAdmin. The file has about 1200 rows and is in a format like: > > > > >"value","value","password","value","value","etc" > > > > >The passwords are in clear text. I need them to be encrypted in md5. > > > > > > > > > >Is there any advice out there as to how I could process this > flat-file > > > > >before I import into my db or after the fact? > > > > > > > > > >Thanks, verdon > > > > >Ps. Please cc me if replying to list as I am on digest mode > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > PHP General Mailing List (http://www.php.net/) > > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
