Forums

The forums ran from 2008-2020 and are now closed and viewable here as an archive.

Home Forums Back End Censor Password in Database?

  • This topic is empty.
Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • March 24, 2012 at 6:29 am #37314
    schart
    Participant

    Is there any kind of code that I can use either before putting the password into the database or a setting inside the database (phpMyAdmin), where I can censor and of course uncensor passwords, so that they won’t be readable in the database?

    March 25, 2012 at 1:00 am #99896
    macharborguy
    Participant

    Is there a specific reason you want to store the passwords in a form that can be decrypted back to plain text? This can be a security risk.

    What would be best is to hash the password using one of the many cryptographic hashing algorithms, such as SHA-256, and store the resulting hash (plus random salt value per password) in the database. This way, if your database is compromised, no actual passwords would be vulnerable.

    In addition, when a user enters their password, you again run it thru the hash function and compare the resulting hash with the one in the database (remember to add the salt).

    I suggest downloading the PHP-BB forum software and look at their code, as last I checked they did this very thing.

    March 26, 2012 at 12:44 am #99927
    macharborguy
    Participant

    Yes, hashing is the proper way to do this. While an encrypted password may seem safe, it isn’t. All a hacker would need to do is get a copy of the password fields and then run a brute force cracker on the data to figure out your encryption key.

    Hashing is more secure in that no matter what the hacker does with the hashed data, he may have no way of knowing what process lead to the original password becoming the final hash value.

    You could have salted it as such…

    passwordsalt
    saltpassword
    spaasslwotrd

    …or many other ways.

    I know you want to prevent yourself from seeing them, but honestly, there is a big difference between you seeing them and acting upon seeing them. You have control of the database, so seeing a users password is the least thing to be concerned with. You should be trying to prevent people other than yourself from seeing those passwords, or ever getting their hands on them.

    When it comes to encryption and hashes, follow these…

    – Only encrypt individual things, and use different encryption methods for multiple things. Eg, do not encrypt each password with the same encryption method, because if one can be decrypted, they all can be decrypted.
    – use hashes for comparing sensitive data, rather than using the raw data itself. Use multiple hashing algorithms if you want to be extra sure a comparison is current. Search for SHA, md5 and cryptographic hashing in general

  • Author
    Posts
Viewing 3 posts - 1 through 3 (of 3 total)
  • The forum ‘Back End’ is closed to new topics and replies.