Reputation: 6174
Better way save password in mysql which can be decrypted also using php
I am currently using md5 function to encrypt my password and save to mysql db which can not be decrypted.
Now my user want that when they forgot password, they should get same (old) password instead of new password.
So my question is that what should i use to encrypt my password and store in mysql Database. And i can decrypt that password also.
i am running on php and mysql.
Thanks
Avinash
Upvotes: 12
Views: 3587
Answers (8)
Reputation: 7042
create dynamic salts ( 2, one 'permanent' to mix with the password before hashing / crypting, other one dynamic, changing every time user logs in );
$dynamicSalt = ''; for ($i = 0; $i < 8; $i++) { $dynamicSalt .= chr(rand(33, 126)); }never save passwords in any manner that can help you 'decode' them later, it's not up to you to retrieve original password but to let users reset it
If you really need to save the original passwords, create a database account with WRITE permissions only and store it in some other database ( on another server ? ).
Upvotes: 0
Reputation: 48357
It is not possible to store the password in such a way that it is still recoverable without either
1) storing the decryption key in your code/data (which rather defeats the purpose of hashing/encrypting the password)
2) encrypting the password using public/private key encryption the routing the recovery through som sort of semi-manual process where the password can be recovered.
The simplest solution is to require your users to provide/maintain a current email address and rely on the security of that to provide a new password on request.
C.
Upvotes: 0
Reputation: 8268
If you're running an internal private site with no security issues, just store passwords with XOR 0xAD each byte. Otherwise, reset is the only option.
Upvotes: 0
Reputation: 7370
Don't do that...
First, use something better than md5. Then create a way to "reset" the password, but never a way to actually retreive the password from the db...
That will make your app less secure, but maybe even worse; you and your users will have a problem if your data gets stolen! Someone is going to have a database with usernames and passwords of all your users!
Upvotes: 15
Reputation: 1643
It's not safe to do that you better can create a way to reset the password
Upvotes: 0
Reputation: 40675
Don't do that, it will compromise your security! The whole idea of one way encryption is that if your database is hacked you won't face the problem that all your users passwords will be known alongside with their email addresses!
Upvotes: 2
Reputation: 798436
Encrypting instead of hashing means that you have to store the decrypt key, which means reduced security for your app. Reset their password, and send them the new one.
Upvotes: 5
Related Questions
- Encrypting/Decrypting Passwords to and from a MySQL database
- Encrypt password before storing in database?
- MySQL ENCRYPT password but how to DECRYPT?
- Encrypt password and store in DB on android
- How to store encrypted data in mySQL
- What are the best practices to encrypt passwords stored in MySql using PhP?
- How to decrypt password in mysql
- PHP encrypt password before storing it to database
- Best way of encrypting text to store in mysql database
- How can I encrypt password data in a database using PHP?