Jump to content

how secure is password()

plusnplus

By plusnplus
in MySQL Help

 Share

Recommended Posts

Mr Hyde Newbie

Mr Hyde

Posted
Posted

It's pretty secure... BUT I would still either salt it by concatenating a secret word on to the front or back of the password before encrypting it, or use php's md5 function and salt it, and then pass it to password() in MySQL.

 

With the wide proliferation of rainbow tables now, you can't be too careful. Of course if you are passing your user's password via clear text then it really doesn't matter that much anyway. Worrying about password security when you pass a password like that would be like worrying about your deposit in the bank, but giving it to a 10 year old to take across the street and drop it off first.

Link to comment
Share on other sites
nankoweap Newbie

nankoweap

Posted
Posted

is there any possible to see what real text after use password()?

 

in a word, yes. exploits for other crypto functions are in the ether too. the mysql docs expressly mention not using the password function in your application. instead, consider using sha2 with a high bit length. all of this and more is covered here:

 

http://dev.mysql.com/doc/refman/5.5/en/encryption-functions.html

 

Mr Hyde makes a good point too, though. your app is as secure as its weakest link. if you're passing passwords in clear text, then using the password function is overkill. :)

Link to comment
Share on other sites
Mr Hyde Newbie

Mr Hyde

Posted
Posted

Mr Hyde makes a good point too, though. your app is as secure as its weakest link. if you're passing passwords in clear text, then using the password function is overkill. :)

 

Here is a good launchpad for building a CHAP login system. Basically, the idea is to store the encrypted password in your table, and when a client tries to login, you encrypt their credentials client side  via javascript (now their password is the same as what you actually have in your database), pass a salt, then you encrypt again on both sides via the shared salt and compare the results. It's certainly not an impervious method, but if ssl is cost prohibitive that's a good way to go.

 

My thinking is that if a client trusts you with their password, the least you can do is try to protect it. It's very likely that they use the same password on their banking website, email etc.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.