Board index   FAQ   Search  
Register  Login
Board index php forum :: PHP and MySQL Security PHP & MySQL Security

Storing passwords as plain text

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: macek, egami, gesf

Storing passwords as plain text

Postby whitedragon101 » Wed Oct 06, 2010 3:39 pm

I have a mysql database that allows a customer to view an order they have made. The usernames and passwords only allow a customer to view but not change anything.
At the moment the passwords are stored as plain text. I have seen many security articles saying this is bad and that should someone crack into your database they can steal all your passwords. My problem is I'm confused, but it seems and correct me if I'm wrong (which is why I'm asking :) ) :

If someone breaks into my database then the only use of a password is to log into the system and see a users information. However if they have access to the database they already have access to the users information.

Basically:

1) Text passwords + Cracker gains access to database = user data stolen
2) Encrypted passwords + Cracker gains access to database = user data stolen

Is there any point hashing the passwords?
whitedragon101
New php-forum User
New php-forum User
 
Posts: 2
Joined: Wed Oct 06, 2010 3:27 pm

Re: Storing passwords as plain text

Postby egami » Tue Oct 26, 2010 8:41 am

Well, if you're using authentication it should be over SSL.
But, in the case that you can't use SSL, then passing user information over cleartext is all you can do.

This can be accessible from anyone on a wireless connection, anyone on the ISP from and to the source and destination.


However, putting passwords in the DB will prevent that cracker from getting that users passwords and using them on other sites where they might be using the same password.

It's about ethics more than just security.

-B
User avatar
egami
php-forum GURU
php-forum GURU
 
Posts: 2197
Joined: Wed Oct 06, 2010 11:19 am
Location: Happy Valley, UT

Re: Storing passwords as plain text

Postby egami » Tue Oct 26, 2010 8:44 am

$password = md5($_REQUEST['password']); is the simplest form of encryption, but you can use seeds and other things to make it even more complicated.

I typically will use a random seed for the website, and append it to or prepend it to the password just to confuse any outsiders.

md5 password encryption along with another md5 seed attached together = good enough for government work.

-B
User avatar
egami
php-forum GURU
php-forum GURU
 
Posts: 2197
Joined: Wed Oct 06, 2010 11:19 am
Location: Happy Valley, UT


Return to PHP & MySQL Security

Who is online

Users browsing this forum: No registered users and 1 guest

Sponsored by Sitebuilder Web hosting and Traduzioni Italiano Rumeno and antispam for cPanel.