[SOLVED] Password Encryption Suggestions

Mongoose+ · March 10, 2009

Hello,

I am looking to encrypt passwords before storing them in MYSQL. I am wondering which method is better. If neither are good, are there any better suggestions.

Option 1:

I make a fake key like dfah3jh3j4h2j9 then I get the username and password from the web form, sanitize it for XSS and make a new hash variable using sha1 with username.key. I go into the mysql query using AES_ENCRYPT(password,hash).

Option 2:

I make the same hash using sha1(username.key) and instead of AES_ENCRYPT I simply encrypt the password using sha1(password.hash) and store that into the mysql field.

I have no need for password lookups, so a decryption is not necessary. Any suggestions or thoughts would be appreciated.

Thanks,

Mongoose+

premiso · March 10, 2009

SHA1 is not technically encryption. It is a one way hash. Just remove the AES_ENCRYPT and use sha1 with a good salt and you should be fine.

Psycho · March 10, 2009

SHA1 is not technically encryption. It is a one way hash. Just remove the AES_ENCRYPT and use sha1 with a good salt and you should be fine.

I second that. A hash plus a good salt is sufficient.

Mongoose+ · March 10, 2009

Thank you very much, that was the direction I was leaning.

-Regards

Sign In

[SOLVED] Password Encryption Suggestions

Recommended Posts

Mongoose+

Link to comment

Share on other sites

premiso

Link to comment

Share on other sites

Psycho

Link to comment

Share on other sites

Mongoose+

Link to comment

Share on other sites

Archived

Browse

Activity

Important Information