logo-dw

Go Back   Dreamweaver Club Forums > Hand Coders Forum > General
Register FAQ Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
Old 10-06-2010, 11:25 PM   #1
whitedragon101
 
Join Date: Jun 2009
Posts: 20
Default Storing passwords as plain text

I have a mysql database that allows a customer to view an order they have made. The usernames and passwords only allow a customer to view but not change anything.
At the moment the passwords are stored as plain text. I have seen many security articles saying this is bad and that should someone crack into your database they can steal all your passwords. My problem is I'm confused but it seems and correct me if I'm wrong (which is why I'm asking ):

If someone breaks into my database then the only use of a password is to log into the system and see a users information. However if they have access to the database they already have access to the users information.

It seems to me either every piece of data Name, Address, etc has to be stored in encrypted form as well as the password otherwise there is no point.

Then i thought, but wait.. The only way to break into the database is a direct attack (as I vet all input to prevent sql injection). Therefore someone who has broken into the server directly will also have access to the php code and therefore the encryption key. All data can now unencrypted and they have all the data again.

Basically:

1) Text passwords + Cracker gains access to database = user data stolen
2) Encrypted passwords + Cracker gains access to database = user data stolen
3) all fields encrypted + Cracker gains access to database by cracking server = Cracker therefore also has access to php files = Cracker has access to php un-encrypt code = user data stolen

It seems like this extra security is like padlocking your bike and leaving the key next to it. It looks secure but doesn't really make a difference.

Any thoughts?
whitedragon101 is offline   Reply With Quote
Old 10-07-2010, 01:13 AM   #2
edbr
edbr's Avatar
 
Join Date: Aug 2005
Location: Bali
Posts: 11,164
Default

it is standard practice to encode using shal1 or md5, and as you say most if not all of the security gurus advise this at the very least espesially against brute force attacks. i dont see in as leaving the key next to the padlock at all. so my view point is why not do it?
__________________
If you're happy and you know it shake your meds!
different style links examples

Flight / Hotel search
Free script download
Bali Villas
edbr is offline   Reply With Quote
Old 10-12-2010, 09:06 AM   #3
edbr
edbr's Avatar
 
Join Date: Aug 2005
Location: Bali
Posts: 11,164
Default

this post has been nagging at me a bit so how about this.
although md5 gives a much increased safety factor over plain text it could be de-crypted (although not easily). a further measure would be to salt, or add characters to your password, your password so i did a bit of digging and finally wrote this which could be adapted fairly easily.

after applying stripslashes and/or mysql_real_escape_string to your password string
Code:
ex.
$mypassword = mysql_real_escape_string($mypassword);

$salt = 's+(_a*';

// encrypt password
$new_mypassword=md5($mypassword.$salt);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$new_mypassword'";
$result=mysql_query($sql);
__________________
If you're happy and you know it shake your meds!
different style links examples

Flight / Hotel search
Free script download
Bali Villas
edbr is offline   Reply With Quote
Old 10-23-2010, 07:30 PM   #4
davidj
davidj's Avatar
 
Join Date: Sep 2005
Location: The Toon (newcastle upon Tyne)
Posts: 8,256
Default

also note that unless you are using SSL then your password would be visible over http. If anyone is listening to your site they will be able to see what your form is posting every time. This is the case even if you are encrypting the password for storage.

Also note that MD5 is one way encryption. It cant be cracked as there is no key to find. The only way to work out the encrypted string is to guess the original word. You can encode anything to an MD5 encryption string. Even War and Peace could be reduced to a 32 char length string!!
__________________
Would you like to learn PHP from me? Check out -> www.codezenith.co.uk
davidj is offline   Reply With Quote
Old 10-24-2010, 04:01 AM   #5
edbr
edbr's Avatar
 
Join Date: Aug 2005
Location: Bali
Posts: 11,164
Default

Quote:
Also note that MD5 is one way encryption. It cant be cracked as there is no key to find.
have a look at this david http://md5.web-max.ca/

it isbased on dome kind of database but can decrypt some that i tried for instance 2ec0dfce896fa30233359748248dddec
__________________
If you're happy and you know it shake your meds!
different style links examples

Flight / Hotel search
Free script download
Bali Villas

Last edited by edbr; 10-24-2010 at 04:17 AM..
edbr is offline   Reply With Quote
Old 10-24-2010, 02:00 PM   #6
davidj
davidj's Avatar
 
Join Date: Sep 2005
Location: The Toon (newcastle upon Tyne)
Posts: 8,256
Default

it is a database of common words. They have ran through the MD5 algorythm mapping the word to the encrypted string and storing the pair. They did not crack it they just have a database of original/encrypted pairs. To protect yourself from these databases you just have to adopt a strong password format methodology using upper,lower case; Alpha, numerics enforcing complex passwords
__________________
Would you like to learn PHP from me? Check out -> www.codezenith.co.uk
davidj is offline   Reply With Quote
Old 10-25-2010, 01:19 AM   #7
edbr
edbr's Avatar
 
Join Date: Aug 2005
Location: Bali
Posts: 11,164
Default

yes i suspect they are collecting when people use an encrypt online to feed the database. i first tried that example i gave and it could not decode, i then tried an online encrypt (another site) and then when i returned and tried it it could decode it, so also it would be a good idea not to encrypt using online 'services'
__________________
If you're happy and you know it shake your meds!
different style links examples

Flight / Hotel search
Free script download
Bali Villas
edbr is offline   Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 05:39 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Copyright 2006 DreamweaverClub.com