mysql crypt()

saraadmin

I'm using mod_auth_mysql for login to my PHP site.

The passwords in the mysql database are encrypted using MySQL's crypt() function (for which, I now know, there is no opposite). This works with Apache with no problems.

I now need to be able to produce an HTML form which has the actual password (not encrypted) in it. How can I retrieve the non-encrypted password from the database?

I've found the mcrypt_decrypt() function but is this compatible with mysql's crypt() function? (I'm using Debian and I don't have the mcrypt package installed). And it seems that mcrypt_decrypt() requires a key as well. In MySQL I haven't used a key to encrypt, it says it picks a random one; how do I know what it is (and why does it work)?

Cheers,
Richard

mrhappiness

why not crypting the password enter in the form using mysql crypt function just like you did for the passwords already stored in the database and comparing the two enrypted values?

laserlight

How can I retrieve the non-encrypted password from the database?

You store it along with the encrypted password, but for the most part that defeats the purpose of taking the hash in the first place.
If you're looking to hash passwords and yet have a password retrieval system, then it would probably be better to use PHP's sha1() and generate new passwords for password retrieval.

I've found the mcrypt_decrypt() function but is this compatible with mysql's crypt() function?

No, or at least not likely, even if the cryptosystem/hash used was the same.

saraadmin

Ah yes, good idea. I can store the plain password as well and use the encrypted version for logins with Apache and the plain version for user record editing with PHP.

Its all working now.

Thanks for the help!

Weedpacket

Well, then there's no point storing the encrypted version then because you can just regenerate that when needed from the cleartext version. And when you're storing the same data twice you have to do extra work to make sure that the two instances of the same data are in fact the same.

saraadmin

I see your point but don't forget that I'm using Apache mod_auth_mysql to log users on. It allows you to select the password encryption type you use but doesn't give you any control over how the passwords are retrieved from the database; i.e. I need to have an encrypted version in the user record.

And regarding the extra work. My code is all nicely object oriented so all I had to do was change the User class's setPasswd() function to make two SQL update statements: one of each type of password. I then corrected its getPasswd() function to return the clear password (because its not used for authentication, only to retrieve the password to put it in an HTML form for editing).

mrhappiness

Why do you encrypt the passwords and use mod_auth_mysql?

If you do so to have the communication a bit more secure than you undermine your own security by sending unencrpyted passwords to be displayed within html or sent thorugh a form in plain text.

If you do so to don't let bad people gaining access to your database having all the passwords in a reusable manner let me tell you, that if people gain access to your database you have much bigger problems...

If you do so to have a good feeling of "yeah, i'm da man 'cause i encrypt passwords baby"... Go on with it 😉

Not meant as offense, I simply don't know why you store encrypted passwords and store the unencrypted version too? 😕

saraadmin

If you do so to have the communication a bit more secure...

I need to be able to do both. What I would use ideally would be an encryption method that was compatible between MySQL, mod_auth_mysql and PHP. (I did try setting up DES (?) but I couldn't get it to work with MySQL).

If you do so to [stop] bad people gaining access to your database [and] having all the passwords in a reusable manner...

I'm actually using two databases: one for the user logins and the main one for the actual data. Neither are visible outside the host.

If you do so to have a good feeling of "yeah, i'm da man 'cause i encrypt passwords baby"

And who doesn't think like that sometimes ;-)