 |
|
|
|
Next: MySQL ResultSet - count rows?
|
| Author |
Message |
External
Since: Dec 10, 2007
Posts: 2
|
(Msg. 1) Posted: Mon Dec 10, 2007 6:00 am
Post subject: Types of password storage
Archived from groups: alt>php>sql (more info?)
|
|
|
Sorry if my question seems simple but I'm a bit new.
I've done a web site for a small voluntary group supporting a charity
and used the following code to insert stuff in the database:
....VALUES ('', '$title', '$firstname', '$surname', '$username',
password('$password'), etc etc
This encrypted the password and when checking to allow a user entry, I
did the comparison:
$Query="SELECT * FROM $TableName where username='$username' and
password=password(\"$password\")";
This all worked fine until a couple of days ago when it all went
pear-shaped.
The web host said, in answer to ym query
The problem is that passwords in your databases are stored as 41-byte
hash values, but as we have enabled an old-passwords option on our
shared servers the password() function produces 16 bytes long hashes.
To avoid this problem you can use either md5() or sha1() function
instead.
Does this mean I should go
VALUES ('', '$title', '$firstname', '$surname', '$username',
md5('$password'),
Sorry if my question isn't clear. |
|
| Back to top |
|
 | |
External
Since: Dec 16, 2005
Posts: 5
|
(Msg. 2) Posted: Mon Dec 10, 2007 11:58 am
Post subject: Re: Types of password storage [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
wrote:
> Sorry if my question seems simple but I'm a bit new.
>
> I've done a web site for a small voluntary group supporting a charity
> and used the following code to insert stuff in the database:
>
> ...VALUES ('', '$title', '$firstname', '$surname', '$username',
> password('$password'), etc etc
>
> This encrypted the password and when checking to allow a user entry, I
> did the comparison:
>
> $Query="SELECT * FROM $TableName where username='$username' and
> password=password(\"$password\")";
>
> This all worked fine until a couple of days ago when it all went
> pear-shaped.
>
> The web host said, in answer to ym query
>
> The problem is that passwords in your databases are stored as 41-byte
> hash values, but as we have enabled an old-passwords option on our
> shared servers the password() function produces 16 bytes long hashes.
> To avoid this problem you can use either md5() or sha1() function
> instead.
>
> Does this mean I should go
> VALUES ('', '$title', '$firstname', '$surname', '$username',
> md5('$password'),
>
> Sorry if my question isn't clear.
Yes, I always use the md5 function for passwords. It produces a 32 ascii
character string. |
|
| Back to top |
|
| |
External
Since: Apr 23, 2007
Posts: 89
|
(Msg. 3) Posted: Mon Dec 10, 2007 11:58 am
Post subject: Re: Types of password storage [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
On 10 Dec, 16:08, Ian Pawson wrote:
> wrote:
> > Sorry if my question seems simple but I'm a bit new.
>
> > I've done a web site for a small voluntary group supporting a charity
> > and used the following code to insert stuff in the database:
>
> > ...VALUES ('', '$title', '$firstname', '$surname', '$username',
> > password('$password'), etc etc
>
> > This encrypted the password and when checking to allow a user entry, I
> > did the comparison:
>
> > $Query="SELECT * FROM $TableName where username='$username' and
> > password=password(\"$password\")";
>
> > This all worked fine until a couple of days ago when it all went
> > pear-shaped.
>
> > The web host said, in answer to ym query
>
> > The problem is that passwords in your databases are stored as 41-byte
> > hash values, but as we have enabled an old-passwords option on our
> > shared servers the password() function produces 16 bytes long hashes.
> > To avoid this problem you can use either md5() or sha1() function
> > instead.
>
> > Does this mean I should go
> > VALUES ('', '$title', '$firstname', '$surname', '$username',
> > md5('$password'),
>
> > Sorry if my question isn't clear.
>
> Yes, I always use the md5 function for passwords. It produces a 32 ascii
> character string.
Joomla have recently updated their password handling to add a salt to
the end of the string to be MD5ed.
This is because there are databases available on the net that can give
the likely original password for many "trivial" passwords. Since folks
who usee trivial passwords often use them on may sites, this is an
obvious good security hole. I ran a curl script against a couple of
old, pre-salt, Joomla databases and found a 30% hit rate on likely
passwords. >> Stay informed about: Types of password storage |
|
| Back to top |
|
| |
External
Since: Dec 10, 2007
Posts: 2
|
(Msg. 4) Posted: Mon Dec 10, 2007 1:58 pm
Post subject: Re: Types of password storage [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
On Mon, 10 Dec 2007 08:47:21 -0800 (PST), Captain Paralytic
wrote:
>On 10 Dec, 16:08, Ian Pawson wrote:
>> wrote:
>> > Sorry if my question seems simple but I'm a bit new.
>>
>> > I've done a web site for a small voluntary group supporting a charity
>> > and used the following code to insert stuff in the database:
>>
>> > ...VALUES ('', '$title', '$firstname', '$surname', '$username',
>> > password('$password'), etc etc
>>
>> > This encrypted the password and when checking to allow a user entry, I
>> > did the comparison:
>>
>> > $Query="SELECT * FROM $TableName where username='$username' and
>> > password=password(\"$password\")";
>>
>> > This all worked fine until a couple of days ago when it all went
>> > pear-shaped.
>>
>> > The web host said, in answer to ym query
>>
>> > The problem is that passwords in your databases are stored as 41-byte
>> > hash values, but as we have enabled an old-passwords option on our
>> > shared servers the password() function produces 16 bytes long hashes.
>> > To avoid this problem you can use either md5() or sha1() function
>> > instead.
>>
>> > Does this mean I should go
>> > VALUES ('', '$title', '$firstname', '$surname', '$username',
>> > md5('$password'),
>>
>> > Sorry if my question isn't clear.
>>
>> Yes, I always use the md5 function for passwords. It produces a 32 ascii
>> character string.
>
>Joomla have recently updated their password handling to add a salt to
>the end of the string to be MD5ed.
>
>This is because there are databases available on the net that can give
>the likely original password for many "trivial" passwords. Since folks
>who usee trivial passwords often use them on may sites, this is an
>obvious good security hole. I ran a curl script against a couple of
>old, pre-salt, Joomla databases and found a 30% hit rate on likely
>passwords.
Thank you both. >> Stay informed about: Types of password storage |
|
| Back to top |
|
| |
| Related Topics: | Field storage - Utterly perplexed by this one. I entered this into my MySQL: create table if not exists user (userid int not null auto_increment primary key, email char(64) not null, nickname char(32), user_pass char(41), reset_ans char(41), ..
password value - I'm trying to install a php script that uses mysql. The problem is that the php config file asks for my database password and I don't have one because it's not required for the database. So now I'm getting an error that all variables in the config php..
lost password - Ok, I installed mySQL. Thanks to everyone that helped me, and I changed the password for the root account, as suggested, but now I FORGET! How can I get my password? Is it kept in a file somewhere? Do I need to Uninstall/reinstall? I'd prefer not to...
Login with password - Hello! I’ am building a web page with user/member accounts and want to have a password for every user like: Username: peter25 Password: ****** And then login on the web page if the username and password is correct. I am using MySQL 4 and..
PASSWORD function in MySQL - How big should a password field be in a table when using the MySQL PASSWORD function? Can I calculate how big the hashed value will be (in terms of number of characters) if I limit the user to say 16 character passwords? Thanks, Rick.. |
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
|
|
|
FAQ
Search
Profile
Private Messages
Log in
