Chris Kavanagh <mailto:chris@stripped> wrote on Tuesday, December 07,
2004 3:36 PM:
> I need to store passwords in my database, and I understand it's bad
> form to store them anywhere in a readable format (I remember reading
> once that if you call a company and ask for your password,
> and they can
> tell you, it's a bad sign).
well, yes. I'd be very worried if any random company could tell me what my
passwords were... :)
Storing them in unreadable format is one thing; storing a hash or other
format which can't be retrieved is another. There are advantages and
disadvantages to both.
> Is the solution a BLOB column type, and when inserting records:
Don't think there's any need to use a blob - an MD5 is simply hex digits, so
CHAR(32) should suffice (as far as I'm aware). also, you might want to
consider sha1 if you haven't got any legacy MD5 elements.
If you ever want to be able to retrieve passwords, rather than simply
checking to see if an entered value is (very) likely to be the same as the
original password (which is how md5 and sha1 work), try the aes_encrypt
functions and have a master password or passphrase.