How to decrypt password in mysql

Question

Going straightly to my question, I have read about encrypting password while registering the user.Till here im able to register users with encrypted password by using PASSWORD('$PASS'); where $PASS is the users password. My sql table details is as follows :-

FNAME
LNAME
EMAIL
PASS // USED ENCRYPTION AS PASSWORD('$PASS'); HERE.

I can't understand how to decrypt the password & use futher in my code i use the following code to use decrypt the password but its not working. !

<?php
$EMAIL = $_POST['email'];
$PASS = $_POST['pass'];

mysql_connect('host', 'user', 'pass');
mysql_select_db('userdb');
$results = mysql_query(sprintf("SELECT FNAME,LNAME,EMAIL,PASS FROM `details`
WHERE PASS=PASSWORD('$PASS')", 
mysql_real_escape_string($EMAIL))) or die(mysql_error()); 
while($row = mysql_fetch_assoc($results))
{$rows[1] = $row;} 
if(!($_COOKIE['pass'] == $rows[1][PASS])) 
//cookie is set while registering user , which is the decrypted(original) value of password.
{ die("Error occured"); } 
else { echo "Password entered is correct"; }

 ////.....my further code here.
  ?>

Its showing Error occured on the page, which means the password is incorrect. I Also add that this code was working correctly before encryption of password in database.Im new to encryption process ,Your little help is needed which will help me to learn more. Thanks in advance.

**Danger**: You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. — Quentin, Sep 29 '13 at 10:46
Additionally it's an extremely bad idea to select just based on the password. you **must** use the email address in the WHERE, too! Passwords are often not unique so in your case a user might end up logging into the wrong account. — ThiefMaster, Sep 29 '13 at 10:47
[The PASSWORD() function is used by the authentication system in MySQL Server; you should not use it in your own applications](http://dev.mysql.com/doc/refman/5.5/en/encryption-functions.html#function_password), it would also be sensible to review the [PHP password storage FAQ](http://www.php.net/manual/en/faq.passwords.php) and the [OWASP password storage cheatsheet](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) — Quentin, Sep 29 '13 at 10:47
*Encryption performed by PASSWORD() is one-way (not reversible).* — Mark Baker, Sep 29 '13 at 10:48
@MarkBaker: According to his code he just wants to compare it and just used very poor wording in his question. — ThiefMaster, Sep 29 '13 at 10:49
Password did not decrypt. your password encrypts and matches with the encrypted password in database. — MD SHAHIDUL ISLAM, Sep 29 '13 at 10:50
Using comma (,) after query statement instead of semicolone(;) — MD SHAHIDUL ISLAM, Sep 29 '13 at 10:51
Ok i will take neccessary steps if i'm going anywhere wrong. Thanks. — Vikrant, Sep 29 '13 at 11:19

Rich Bradshaw · Accepted Answer · 2013-09-29T11:04:24.337

5

You don't encrypt passwords, you hash them.

The point is, that you don't actually need the users password, you just need to know that they know it.

As an example, an absolutely terrible way to do that might be a simple count: e.g.

if the users password was 'horse123', you might store that as 8. Then you just count the letters in the password, and if it's 8, you know it's right.

That means that you never need to know the actual password.

Clearly that's awful, as there are many passwords with 8 characters! We need something with less 'collisions'.

Instead, we use one way hash functions. The most common way to do this is to use an MD5 hash. (it's not the best, but it's simple to explain). For how to actually do this, look at http://www.openwall.com/phpass/.

For the short and sweet version:

Get the users password, and do something like:

$pass = md5('somerandomtextthatyouknow'.$_POST['password']);

then, store that in your DB.

When they log in, you do the same again, and check that the hash in your DB.

This way, you never need to know the actual passwords, the passwords can be as long as you like, and if your database is stolen, the hashes are not useful to anyone (because we added in that random text).

So, now you understand that, read:

http://www.openwall.com/phpass/

and absolutely read up on SQL injection and SQL prepared statements, else this is all a bit pointless!

edited Sep 29 '13 at 11:04

answered Sep 29 '13 at 10:52

Rich Bradshaw

71,795
44
182
241

A good introduction to hashing, but doesn't mention per-user salting. That said, the secret random text should provide enough salt to prevent rainbow table attacks, which is a good start! – halfer Sep 29 '13 at 10:56
1

Yeah, I thought I'd just go through the absolute minimum that someone might use. Doing it as described above is massively better than doing nothing, but really just read http://www.openwall.com/phpass/ and use that. :) – Rich Bradshaw Sep 29 '13 at 10:57
1

True. Incidentally, I rather like the description of `count()` as "a hash function with a high collision rate" too `:-D` – halfer Sep 29 '13 at 11:00
Just thought of that as I was writing it – probably quite a nice way to explain a one way hash without going into any maths. I was going to say store it as `h83`, i.e. starts with `h`, has `8` chars, and ends in `3`, but thought someone might stop there and actually implement that! – Rich Bradshaw Sep 29 '13 at 11:03
I would suggest something like `$password =(CRYPT_SHA512==1)? crypt($password,'$6$rounds=20000$!Z#XC542yuiot&*M^%YTDSFASDAHJillbe$'):FALSE;` instead of md5!! – mamdouh alramadan Sep 29 '13 at 11:08

score 1 · Answer 2 · answered Sep 29 '13 at 10:51

1

You shouldn't encrypt passwords. You should hash them. This way they can't be decrypted.

You can read more about it here.

answered Sep 29 '13 at 10:51

Sawny

1,404
2
14
31

score 0 · Answer 3 · answered Sep 29 '13 at 10:59

Best solution is to use HASH code instead of using encryption and decryption.

md5($pass) - give you 32 bits unique hash code

similarly sha256(), hash()...etc

store these hash codes in your database at the place of password.

Hash code are one way. So it is more secure for your users.

score 0 · Answer 4 · answered Dec 22 '13 at 18:50

0

Click here for a more comprehensive way of protecting your passwords and login access using PHP and MYSQL

answered Dec 22 '13 at 18:50

user28864

3,375
1
25
19

Note that [link-only answers](http://meta.stackoverflow.com/tags/link-only-answers/info) are discouraged, SO answers should be the end-point of a search for a solution (vs. yet another stopover of references, which tend to get stale over time). Please consider adding a stand-alone synopsis here, keeping the link as a reference. – kleopatra Dec 22 '13 at 18:57
Well, thanks for the heads up. However I felt it's better I redirect people who need it to the reliable source instead of picking someones ideas and putting up in the forum as if it was mine. – user28864 Dec 23 '13 at 21:25

How to decrypt password in mysql

4 Answers4