RE: Soliciting best approach for storing passwords . . .

Hi

Just to throw another thought in....

If you do change the password and send it to them, you have to allow for the
fact that their email could have changed - left work, service provider went
bust etc etc, or somebody could just enter their email for a joke 8*} and
get their password reset. I have seen systems where old and new passwords
work until you confirm the new one, which is a halfway house, but more
programming.

The fact is that security is difficult, not technically, but from a human
perspective. People are a security risk and educating users in proper
security is the best answer, though a lost cause sometimes :)

regarding two way encryption see

http://www.mysql.com/doc/M/i/Miscellaneous_functions.html

and

ENCODE(str,pass_str)

BFN

Peter

-----------------------------------------------
Excellence in internet and open source software
-----------------------------------------------
Sunmaia
www.sunmaia.net
info@xxxxxxxxxxx
tel. 0121-242-1473
-----------------------------------------------

> -----Original Message-----
> From: César Aracena [mailto:icaam@xxxxxxxxxxxx]
> Sent: 30 June 2002 21:42
> To: 'databarn'; 'MySQL'
> Subject: RE: Soliciting best approach for storing passwords . . .
>
>
> Barn.
>
> I asked the same question couple of weeks ago and all the answers I got
> pointed to one way encryption. Actually, I had the same need that you,
> but understood that it was better to reset the password when a "Forgot
> password" was made, send it to the user and ask them to change the
> password at the next login.
>
> I suppose you have the same problem that I had... few users who would
> get angry if such thing is asked to do. But then I realize that if I
> used a very common "words" list to generate random passwords, they might
> even learn that password without changing it.
>
> After all the responses I've get regarding this issue, I never got the
> answer to how do a two way encrypting so, if this doesn't help you...
>
> > -----Original Message-----
> > From: databarn [mailto:databarn@xxxxxxxxxxx]
> > Sent: Sunday, June 30, 2002 10:36 AM
> > To: MySQL
> > Subject: Soliciting best approach for storing passwords . . .
> >
> > Folk,
> > I need some input on how best to store username/password combinations
> > online.  My preference would be to store a one-way encrypted value,
> but
> > that is not possible in this situation.  The constraint is that we
> have to
> > make provision for giving the user's password back to the user after a
> > "forgot my password" link has been clicked.
> >
> > (Oh, a secondary input would be on the best way to accomplish the
> password
> > return to the user <grin />.)
> >
> > Normally, I store passwords as a one-way hash, then encrypt input to
> see
> > if it matches, but I can't do that this time:  I have to store a clear
> > text or decryptable value.  I've seen several approaches to this, but
> > don't see any clear 'best practice'.  Right now I'm leaning toward a
> > multiple table design, but I have no real idea if this is a better
> model
> > than a single table design.  I'd really appreciate input from some of
> you
> > who have wrestled with this problem before.
> >
> > If it matters, the development box is Win2K/IIS5, PHP 4.0.5, MySQL
> > 3.23.32, and the implementation box is *nix/Apache 1.3.22, PHP 4.1.1,
> > MySQL 3.23.47.
> >
> > I'd appreciate any suggestions for a best resolution.  Thanks.
> >
> >
> >
> > Make a good day . . .
> >  . . . barn
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >   If you're not confused, you're not paying attention
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> >
> >
> > ---------------------------------------------------------------------
> > Before posting, please check:
> >    http://www.mysql.com/manual.php   (the manual)
> >    http://lists.mysql.com/           (the list archive)
> >
> > To request this thread, e-mail <mysql-thread113423@xxxxxxxxxxxxxxx>
> > To unsubscribe, e-mail <mysql-unsubscribe-
> > icaam=icaam.com.ar@xxxxxxxxxxxxxxx>
> > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
>
>
> ---------------------------------------------------------------------
> Before posting, please check:
>    http://www.mysql.com/manual.php   (the manual)
>    http://lists.mysql.com/           (the list archive)
>
> To request this thread, e-mail <mysql-thread113430@xxxxxxxxxxxxxxx>
> To unsubscribe, e-mail
> <mysql-unsubscribe-peter=sunmaia.net@xxxxxxxxxxxxxxx>
> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
>


---------------------------------------------------------------------
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/           (the list archive)

To request this thread, e-mail <mysql-thread113432@xxxxxxxxxxxxxxx>
To unsubscribe, e-mail 
<mysql-unsubscribe-gcdmg-mysql=m.gmane.org@xxxxxxxxxxxxxxx>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php