Re: Changing Plain Text Passwords to Hashed Passwords
Posted by:
Rick James
Date: December 31, 2009 08:13PM
You have to rewrite at least some code.
aes_encrypt() is one possibility. But it is overkill -- you don't really need a function that can be reversed. Instead, consider MD5().
Another security tip -- avoid passing the password in plaintext in a SQL statement. That is, do the MD5 (or whatever) in your application language, then compare the result to what is in the table.
When using MD5, you should concatenate the plaintext with a secret passphrase. Example (using php)
When creating a pwd:
$user_entry = $_POST[...];
$encrypted = MD5($user_entry . 'secret passphrase');
INSERT INTO ... $encrypted
When checking:
$user_entry = $_POST[...];
$encrypted = MD5($user_entry . 'secret passphrase');
$in_db = SELECT ...
if ($in_db != $encrypted) { echo 'bad pwd'; }
Subject
Written By
Posted
December 30, 2009 02:55PM
Re: Changing Plain Text Passwords to Hashed Passwords
December 31, 2009 08:13PM
Sorry, you can't reply to this topic. It has been closed.
Content reproduced on this site is the property of the respective copyright holders.
It is not reviewed in advance by Oracle and does not necessarily represent the opinion
of Oracle or any other party.