Jump to content

Comparing MySQL Password() to PHP/Javascript, Force Different Password


Go to solution Solved by trq,

Recommended Posts

I'm not really sure where to post this topic... it touches on MySQL, PHP, Javascript, and best practices.

 

I want to force users to update their password after 90 days.  I can force them to the update page no problemo, but I'm having troubles forcing them to pick a new password, something different than what they have already stored in the database.

 

Currently when a user registers for an account on my site, the password is passed in plain text and I let the MySQL Password() function hash it (I've come to understand this is bad practice).  This makes it kind of difficult, because I am having a hard time verifying their new, plain text entry on the update page to the Password() hashed old one.

 

The closest I've gotten is this:

 
<script type="text/javascript">
function newpassword() { 
var oldpw = "<?php echo $XXXXXX->UserPassword; ?>";
var newpw = "<?php echo '*' . strtoupper(sha1(pack('H*',sha1('<script type="text/javascript">document.write(document.FORMNAME["UserPassword"].value);</script>'))));?>";
....
</script>

And I would then compare the two variables.  I'm wondering if this is even possible. I've seen a few suggestions online using UNHEX or CryptoJS, but when I use those functions my page loads with nothing on it.

 

I've thought about passing the value as a md5 hashed value, and just storing that in the database instead, but I've read a bit that md5 isn't very secure anymore.

 

I'm kind of at a loss of what to do at this point.  Any help/guidance?

Edited by ajbarlow87
  • Solution

the password is passed in plain text and I let the MySQL Password() function hash it (I've come to understand this is bad practice)

It's not just bad practice. The password function should never be used. It can change between mysql versions without warning breaking your data.

 

I am having a hard time verifying their new, plain text entry on the update page to the Password() hashed old one

Most "change password" page will also ask for the current password. You can use this to check the new password is indeed new, and then again, on the server side you can verify that they have indeed given you the correct old password.

 

I've thought about passing the value as a md5 hashed value, and just storing that in the database instead, but I've read a bit that md5 isn't very secure anymore.

You should be able to google plenty of resources regarding storing passwords in mysql using php.

It's not just bad practice. The password function should never be used. It can change between mysql versions without warning breaking your data.

Yeah, I've been reading on this, and it seems everyone and their Mom says not to do this, and the MySQL manual specifies not to use it either.  Thanks for pointing out the changes.

 

 

 

 

Most "change password" page will also ask for the current password. You can use this to check the new password is indeed new, and then again, on the server side you can verify that they have indeed given you the correct old password.

This is why I'm a wannabe.  This answer should have been clear to me...

 

 

 

 

You should be able to google plenty of resources regarding storing passwords in mysql using php.

I'm going to end up using crypt I believe.

 

Thanks for the nudge in the right direction.

Edited by ajbarlow87
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.