List:General Discussion« Previous MessageNext Message »
From:Tom Molesworth Date:December 7 2004 4:53pm
Subject:RE: Encrypting password fields
View as plain text  
Chris Kavanagh <mailto:chris@stripped> wrote on Tuesday, December 07,
2004 3:36 PM:
> I need to store passwords in my database, and I understand it's bad
> form to store them anywhere in a readable format (I remember reading
> once that if you call a company and ask for your password,
> and they can
> tell you, it's a bad sign).

well, yes. I'd be very worried if any random company could tell me what my
passwords were... :)

Storing them in unreadable format is one thing; storing a hash or other
format which can't be retrieved is another. There are advantages and
disadvantages to both.

> Is the solution a BLOB column type, and when inserting records:
> 
> md5('somepassword')

Don't think there's any need to use a blob - an MD5 is simply hex digits, so
CHAR(32) should suffice (as far as I'm aware). also, you might want to
consider sha1 if you haven't got any legacy MD5 elements.

http://dev.mysql.com/doc/mysql/en/Encryption_functions.html

If you ever want to be able to retrieve passwords, rather than simply
checking to see if an entered value is (very) likely to  be the same as the
original password (which is how md5 and sha1 work), try the aes_encrypt
functions and have a master password or passphrase.

cheers,

Tom
Thread
Encrypting password fieldsChris Kavanagh7 Dec
RE: Encrypting password fieldsTom Molesworth7 Dec