List:General Discussion« Previous MessageNext Message »
From:David T. Ashley Date:August 19 2007 7:37pm
Subject:Re: Password storage
View as plain text  
On 8/18/07, C K <> wrote:

> Friends,
> I have one question - How to store passwords in MySQL database table in a
> secure way so that no one can see the password(understand the password
> string)?

It is considered bad security practice to store passwords using reversible
encryption.  The issue is that users tend to choose the same passwords
across different computing systems, as well as personal e-mail and banking

The most common method is to keep a string, known only to the server, that
is used to help generate the MD5 or SHA1 hash actually stored.  The stored
value is then generated using something like:

MD5(CONCAT(server_string, user_password, server_string))

In order to be able to mount some kind of an attack other than brute force,
an attacker would need to also have the server_string.

The disadvantage of using only the user password for the MD5 is that it
lends itself to a dictionary attack.  So, a bit of randomness thrown in is

As another poster pointed out, the probability of two different passwords
having the same hash is remote.  Using the SHA1 (160 bits) as an example,
and assuming about 64 different characters (6 bits) available for passwords,
the SHA1 is about 26 characters of information.  Remote.


Password storageC K18 Aug
  • Re: Password storageYoge18 Aug
  • Re: Password storageSudheer Satyanarayana18 Aug
    • Re: Password storageC K18 Aug
      • Re: Password storageMogens Melander18 Aug
        • Re: Password storageMike Aubury18 Aug
          • Re: Password storageMogens Melander18 Aug
      • Re: Password storageSudheer Satyanarayana18 Aug
      • Re: Password storageMichael Dykman20 Aug
        • mysql errorCharles Brown20 Aug
          • Re: mysql errorMichael Dykman20 Aug
          • Re: mysql errorMike Zupan20 Aug
  • Re: Password storageDavid T. Ashley19 Aug