Jump to content

Password encryption (md5)


karimali831

Recommended Posts

Hey,

 

When a user sends an invite to join their team, the URL format is like:

?site=clans&action=clanjoin&clanID=459&password=547ed66d627d350f8b3847d24b661f49

 

I use md5 for password encryption but you can't use an encrypted password to POST data?

It would just say password is incorrect unless I manually edit the row in phpmyadmin with a random password and use that one.

 

Is there a way to get the actual encrypted password instead of decrypted one when I use sql fetch?

Link to comment
Share on other sites

I'm starting to wonder, just what is it you're trying to do? Are you trying to protect the password string while it's in transit from the user's browser to your site? If that's the case, you need to be looking at using SSL with a https:// connection. If you just want the password to be stored as a hash value in the database, it would be done such as: INSERT INTO users (username, password)  VALUES ($username, md5($password) making sure the password field in the db is the right size/type to hold the hash.

Link to comment
Share on other sites

can't do that using md5.  it's a one-way hashing system meaning once it's hashed, you cannot "un-hash" it, so to speak.

 

sending a user their password via email is not safe.  instead, if the user can't remember their password, create a "password reset" script so they can create a new one.

 

NOTE: i must clarify that while it is technically possible to use brute-force attacks and such against a value hashed using md5, it is not something the average is capable of doing, and you surely aren't going to find a "script" to do so.  so, just go with what i suggested in creating a password reset.

Link to comment
Share on other sites

Well in my case is, for leagues and tournaments, a team leader sends an invite to someone to join their team with 1 link. Many leagues has this.. no one is really going to care if it's safe or not as it's just a team that takes part in leagues and not credit card information.

 

As you said there is no way of getting the password once it's encrypted using md5, is there an alternative or must I not use encrryption altogether? There is a league that is very active, around 15k users online that uses decrypted passwords and a join link like /join_team/4971608/?joinpw=mypassword

Link to comment
Share on other sites

Well in my case is, for leagues and tournaments, a team leader sends an invite to someone to join their team with 1 link. Many leagues has this.. no one is really going to care if it's safe or not as it's just a team that takes part in leagues and not credit card information.

 

As you said there is no way of getting the password once it's encrypted using md5, is there an alternative or must I not use encrryption altogether? There is a league that is very active, around 15k users online that uses decrypted passwords and a join link like /join_team/4971608/?joinpw=mypassword

 

i'm not going to try and sell you on security.  in my head, security is always a must as it does not really require much more effort than a non-secured site.

 

but, if you don't care about secure passwords, then don't use them.

Link to comment
Share on other sites

If you're going to let the user choose their own password then you need to encrypt it (need as in ethically), if you are automatically generating them then just don't worry about encryption.

 

An alternative to your problem could be to use a generated session hash as a GET variable instead of the password, then in the db the session hash will be associated to the users account and you can go from there.

Link to comment
Share on other sites

Or when a user requests their password, make them verify username & e-mail address and reset their password, mail them the new one (before md5() is in place) then md5() the password and insert it into the database. =)

 

Easy as 1... 2... 3... That's what I do!

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.