Encrypted Password | Password Entry

ndorfnz

I am encrypting passwords and storing in a mysql database.

I am utilizing cookies and storing the encrypted password.

When the login page is visited if a cookie is found by default the username and ************ password are loaded into the user entry fields.

What's a little weird is the password (loaded via the $_COOKIE) is the encrypted version.

So a user's password may be 'joe'

But in the password entry it displays *******************

Anyway around this?

big_nerd

ndorfnz,

If you are encrypting the password before setting the cookie, this would be why it is saving it encrypted.

You will have to check your source code to see where you set the cookie, and what you have done with the password previous to that.

I would recommend however, using a very basic at least encryption method when you store the password, leaving it in clear text makes it all too easy to snap up and becomes a security risk.

You can search the net for any good algorithms that can be decrypted in PHP.

If you can't find where you have encrypted the password or whatnot, feel free to post code here and we can help to diagnose the issue.

laserlight

ndorfnz wrote:
I am encrypting passwords and storing in a mysql database.

Generally, we prefer to hash the passwords rather than encrypt them for storage. if you encrypt, you need to think about key storage, since merely storing the key in the database is tantamount to not encrypting at all. Where encryption comes in handy is in establishing and using a secure channel over the Internet, i.e., SSL/TLS.

ndorfnz wrote:
When the login page is visited if a cookie is found by default the username and ************ password are loaded into the user entry fields.

A better idea is to store the session id in a cookie, and instead of getting the user to login with username/password filled in automatically, you just treat the user as logged in. Note that some web browsers provide ways for users to store their login credentials for automatic login, so you might be duplicating such functionality, or even be seen as forcing it on your users.