How people stores the password in database?

jeephpjeephp BeginnerLink Clerk
Hi,
I need some help with storing password in mysql database or something similar.

i used to store the password in database using md5() function but there is no way to retrieve the

password back.

Now i want to know that -
is it standard and secure way to store password?
is there any other technique to store password so i can retrive it back?

Any advice on this would be highly appreciated.

Thanks
Paresh

Comments

  • dabossdaboss WP V.I.P. ''The Boss'' Administrator
    all passwords should be encrypted before being stored in the database - for obvious reasons. the are many types of encryption - with different encryption strengths and strategies.

    if you want an encryption strategy that can allow you to both encrypt and decrypt, you should thikn about how you want to secure the key. in symmetric encryption, both parties need the same key (which is not suitable when your users are the general public). if you go for asymmetric encryption, you will need a service or your own setup to manage the distribution of the public key and a strategy to manage your private key - too much trouble.

    so, for small-timers like us, i'd suggest you stick to a simple tool like md5. yes, it's one way only but that should suffice. when a new user sets his password, your script encrypts it and stores the encrypted version in the database. when the user subsequently sends the password for authentication, you encrypt it again and then compare the encrypted string with the one stored in the database. if they're the same, you let the user pass through. you can see that you don't need to decrypt the password.
  • strangedarstrangedar Senior Member The Royal RAM
    What if the user forgets their password? I'm guessing they wont be able to retrieve it but will they be able to crfeate a new one without changing usernames? ..Just asking out of curiosity...
    strangedarknesssig.jpg
    sebastianastill.co.uk - My Portfolio
  • CannonBallGuyCannonBallGuy Moderator Shared Hoster
    Yes. First you will usually have to identify yourself some other way, then most places either give you a new one (which you can change straight away) or the chance to make you own new one. :)
  • dabossdaboss WP V.I.P. ''The Boss'' Administrator
    strangedar wrote:
    What if the user forgets their password? I'm guessing they wont be able to retrieve it but will they be able to crfeate a new one without changing usernames? ..Just asking out of curiosity...
    if you're using md5, the user who forgot his password will not be able to retrieve his password anymore... if this is a requirement, you will need to use another algo...

    in any event, as cbg mentioned, this can be overcome using other process-type methods... e.g. the password can be reset and send to the user's email address...
  • strangedarstrangedar Senior Member The Royal RAM
    OK thanks :D
    strangedarknesssig.jpg
    sebastianastill.co.uk - My Portfolio
Sign In or Register to comment.