passwords

dux

Hello All 🙂

I've created a little registration/login system - should I be encrypting passwords in my database and could anyone give any insight into how many users would be needed to seriously slow down the mechanism.

thanyow 🙂)))))))))

the_Igel

Don't worry about speed - no login system can slow down a server. And yes, you'd better encrypt the passwords.

dux

errrr.... how should I encrypt the data?
Is there any standard method for this?

ta 🙂

PHPGuru_2700

This encode your password, it wouldnt be to hard to decode it if
you have php installed on your computer... but it works 😃
and they would have to know you where using the
bas64_endcode function.

<?
	$password = "barney";

// encodes the password variable then prints the screen.

$password = base64_encode($password);
print("Encoded: $password<BR><BR>");

// decodes the password variable then prints it to the screen

$password = base64_decode($password);
print("Decoded: $password");

?>

superdank

is PHP a good source for creating a porn website... users/passwords....

can it create a password for the user automatically?

thanks for the help..

superdank

is PHP a good source for creating a porn website... users/passwords....

can it create a password for the user automatically?

thanks for the help..

cahva

Originally posted by superdank
is PHP a good source for creating a porn website... users/passwords....

can it create a password for the user automatically?

thanks for the help..

I quess PHP is good as any other languages to create a porn-site... But please make a porn-site with no popups 🙂

As you asked for the random password generator, heres one. You propably want to remove some numbers or letters which are same looking. Like zero looks like letter O. Anyway, heres the code:

<?php
// here you put the letters and numbers what you want to use in passwd
$letters="ABCDEFGHIJKLMOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890";
$len=strlen($letters);

for ($i=0; $i < 8; $i++)
{
	$_rand=rand(0,$len);
	$passwd.=$letters{$_rand};
}
echo $passwd;
?>

Senate

When it comes to passwords and encryption on secure sites, i'd recommend doing the following..

when the user first choose (or is given) a password, your script that stores the new user in the DB should encrypt the password like so:

$password = md5($password_from_form)
$query = mysql_query("INSERT INTO users (password) VALUES ('$password')");

then whenever you need to check their password, do it like so:

$password = md5($password_from_login_form)
$query = mysql_query("SELECT user FROM users WHERE password='$password');

Make sense? This way you are never decrypting the password in your script, and there's no risk of someone finding out what it is.
This is just a guide.. you'll need to play with it a bit.

netdur

hey, I better you use MD5 function, but if someone forget password... can't get it again, so you have to generate new password!!! <-

superdank

thanks !... you peeps are great!...

and we Promise... no POP UPS!... i hate them as well!...

www.girlsgoneanal.com

is our new site....

i will be glad to give out some free PW once its completed... for those who help!..

thanks a million!~

dux

thanks for that guys.
What is the benefit of having the encrypted password stored in the database? I'm probably being a total plonker.

thanks! 🙂)))

the_Igel

Originally posted by dux
What is the benefit of having the encrypted password stored in the database?

It's about security: you can't be completely sure that nobody will ever see your db data. But if it's encoded, there's no need to worry about it.

dux

cool - I thought it was a little more complicated that that 😉

thanks 🙂)

jplush76

MD5 alone isn't very secure...

Someone trying to break into your site probably has a list of common MD5 words that they can just run a quick script to match against your database.

so if 5 users enter in the word 'test' as their password then if the person breaks in and finds one that matches, now they have 5 because they all MD5 to to the same string.

You should try using MD5 in conjunction with some "SALT". A variable that will be different for each user.

kinadian

Alternately, if you are using MySQL you can use MySQL's password() function. Simply pass a string to the function and it returns the encrypted value.

ie;

INSERT INTO users (password) VALUES (password('$pass');

If doesn't really matter which way you do it, I use this method to keep my encryption out of my script (it's also the way I learned).

NB: There is no (as far as I know) decryption function for the MySQL encryption (it may even use MD5, not sure). So it's a one way encryption as well. Meaning you could use that password generator script to create a new one, if people forget their password.

--kinadian

the_Igel

You can't totally keep encoding out of script. What's the difference between

mysql_query("insert into db (login, password) values('$login',password('$password'))");

and

mysql_query("insert into db (login, password) values('$login', '".md5($password)."')");

kinadian

I meant processing ... the mysql server performs the encryption rather than the script.

--kinadian