Comparing MySQL Password() to PHP/Javascript, Force Different Password

[ajbarlow87]

I'm not really sure where to post this topic... it touches on MySQL, PHP, Javascript, and best practices.

 

I want to force users to update their password after 90 days.  I can force them to the update page no problemo, but I'm having troubles forcing them to pick a new password, something different than what they have already stored in the database.

 

Currently when a user registers for an account on my site, the password is passed in plain text and I let the MySQL Password() function hash it (I've come to understand this is bad practice).  This makes it kind of difficult, because I am having a hard time verifying their new, plain text entry on the update page to the Password() hashed old one.

 

The closest I've gotten is this:

 
<script type="text/javascript">
function newpassword() { 
var oldpw = "<?php echo $XXXXXX->UserPassword; ?>";
var newpw = "<?php echo '*' . strtoupper(sha1(pack('H*',sha1('<script type="text/javascript">document.write(document.FORMNAME["UserPassword"].value);</script>'))));?>";
....
</script>

And I would then compare the two variables.  I'm wondering if this is even possible. I've seen a few suggestions online using UNHEX or CryptoJS, but when I use those functions my page loads with nothing on it.

 

I've thought about passing the value as a md5 hashed value, and just storing that in the database instead, but I've read a bit that md5 isn't very secure anymore.

 

I'm kind of at a loss of what to do at this point.  Any help/guidance?

Edited April 14, 2013 by ajbarlow87

[trq]

the password is passed in plain text and I let the MySQL Password() function hash it (I've come to understand this is bad practice)

It's not just bad practice. The password function should never be used. It can change between mysql versions without warning breaking your data.

 

I am having a hard time verifying their new, plain text entry on the update page to the Password() hashed old one

Most "change password" page will also ask for the current password. You can use this to check the new password is indeed new, and then again, on the server side you can verify that they have indeed given you the correct old password.

 

I've thought about passing the value as a md5 hashed value, and just storing that in the database instead, but I've read a bit that md5 isn't very secure anymore.

You should be able to google plenty of resources regarding storing passwords in mysql using php.

[ajbarlow87]

It's not just bad practice. The password function should never be used. It can change between mysql versions without warning breaking your data.

Yeah, I've been reading on this, and it seems everyone and their Mom says not to do this, and the MySQL manual specifies not to use it either.  Thanks for pointing out the changes.

 

 

 

 

Most "change password" page will also ask for the current password. You can use this to check the new password is indeed new, and then again, on the server side you can verify that they have indeed given you the correct old password.

This is why I'm a wannabe.  This answer should have been clear to me...

 

 

 

 

You should be able to google plenty of resources regarding storing passwords in mysql using php.

I'm going to end up using crypt I believe.

 

Thanks for the nudge in the right direction.

Edited April 14, 2013 by ajbarlow87