Mongoose+ Posted March 10, 2009 Share Posted March 10, 2009 Hello, I am looking to encrypt passwords before storing them in MYSQL. I am wondering which method is better. If neither are good, are there any better suggestions. Option 1: I make a fake key like dfah3jh3j4h2j9 then I get the username and password from the web form, sanitize it for XSS and make a new hash variable using sha1 with username.key. I go into the mysql query using AES_ENCRYPT(password,hash). Option 2: I make the same hash using sha1(username.key) and instead of AES_ENCRYPT I simply encrypt the password using sha1(password.hash) and store that into the mysql field. I have no need for password lookups, so a decryption is not necessary. Any suggestions or thoughts would be appreciated. Thanks, Mongoose+ Quote Link to comment Share on other sites More sharing options...
premiso Posted March 10, 2009 Share Posted March 10, 2009 SHA1 is not technically encryption. It is a one way hash. Just remove the AES_ENCRYPT and use sha1 with a good salt and you should be fine. Quote Link to comment Share on other sites More sharing options...
Psycho Posted March 10, 2009 Share Posted March 10, 2009 SHA1 is not technically encryption. It is a one way hash. Just remove the AES_ENCRYPT and use sha1 with a good salt and you should be fine. I second that. A hash plus a good salt is sufficient. Quote Link to comment Share on other sites More sharing options...
Mongoose+ Posted March 10, 2009 Author Share Posted March 10, 2009 Thank you very much, that was the direction I was leaning. -Regards Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.