0

I would like to create a login application using PHP and phpmyadmin databases and want the password to be encrypted so

  1. is there another type than md5() and password() to encrypt text?

  2. what the difference between md5() and password()?

  3. what is the better betweeb md5() and password()?

Thank you, hopefully can be benefit to other

*edit I Prefer 1 way hash method for this one :)

user3573370
  • 13
  • 4
  • I dont know much but as far as I know md5 is a 1way hashing technique. There are other encryption such as Rijndael/AES. You can give it a try – Professor May 09 '14 at 07:07
  • 1
    Take a look at this page: http://dev.mysql.com/doc/refman/5.5/en/encryption-functions.html – Cas Bloem May 09 '14 at 07:08
  • 1
    "The PASSWORD() function is used by the authentication system in MySQL Server; *you should not use it in your own applications*." (Like MD5, PASSWORD is also a *one way* function and is [*not* "encryption"](http://stackoverflow.com/questions/23488723/i-want-to-encrypt-blob-using-sha-in-javascript/23488762#23488762).) – user2864740 May 09 '14 at 07:15
  • 1
    If you *really* want to re-invent the wheel and create your *own* password/authentication system (**don't**), then read http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords?rq=1 to avoid some of the worst mistakes - like using MD5 or SHA! I highly recommend using an *existing* vetted framework. – user2864740 May 09 '14 at 07:17

4 Answers4

1

Unfortunately it is not possible to store passwords safely with only SQL commands.

To prevent rainbowtable attacks you should add a random salt to the hashing scheme, but this means that you cannot verify the password with SQL alone. You would have to read the salt of every row in the user table and calculate the hashes for comparing.

A safe hash function can be tuned to need a certain amount of time (e.g. 10ms), BCrypt for example has a cost factor. If you have to check every row and every calculation needs some time, you will run into problems if your user table grows.

These are the reasons, why passwords should not be hashed by the database itself, instead do it with your development language. First you have to find the hash and its salt by the given username, afterwards you can verify the password for this single row. For PHP have a look at the function password_hash().

martinstoeckli
  • 23,430
  • 6
  • 56
  • 87
0

Yes, there are others types.

I recommend you to use BCRYPT. It allows you to encrypt passwords in a one way crypt. You won't be able to recover passwords, there's a function which let you know if a given password is the same than a crypted one.

Cheers

maxime1992
  • 22,502
  • 10
  • 80
  • 121
  • No bcrypt in mysql, afaik. I understand what you say, but could you elaborate more? – kapa May 09 '14 at 07:13
  • So -1 was necessary ? "No bcrypt in mysql" --> "I would like to create a login application using phpmyadmin databases" he's gonna uses PHP isn't he ? – maxime1992 May 09 '14 at 07:25
  • Don't worry about the downvote, nothing personal. We don't know whether he uses PHP (I guess he is). We know that he is a beginner though, so your answer is more likely to cause confusion. – kapa May 09 '14 at 07:32
  • If you say so. But i don't think. I'm just telling him that he could use BCRYPT which is a good library to encrypt passwords ... – maxime1992 May 09 '14 at 07:44
  • yeah im using PHP to create my login application, im sorry for asking such native question hehe. i just dont know – user3573370 May 12 '14 at 09:35
0

All the answers you can find in the official documentation. Please always start with that before asking questions.

  1. Yes, see the list in the linked docs, with detailed explanations.
  2. md5() uses MD5 and password() uses MySQL's native hashing, as seen in the docs.

  3. Depends on what you need it for. This question is way too vague, but the docs give a hint:

    The PASSWORD() function is used by the authentication system in MySQL Server; you should not use it in your own applications. For that purpose, consider MD5() or SHA2() instead.

kapa
  • 77,694
  • 21
  • 158
  • 175
  • Ok Then i'm sorry its my fault. Thank you for the explanation – user3573370 May 12 '14 at 09:29
  • @user3573370 Just don't forget to accept one of the answers here. Use the tickmark on the left of the answers. – kapa May 12 '14 at 09:51
  • oh ok then how to see who give me -1? – user3573370 May 12 '14 at 10:29
  • @user3573370 Voting is anonymous. The downvote button on questions reads `This question does not show any research effort; it is unclear or not useful`. So if your question is downvoted, the reason is one of these (I would suspect the first one in your case). – kapa May 12 '14 at 10:46
  • ohh i see little sad that not useful for someone else. Btw thank you for helping me – user3573370 May 14 '14 at 06:45
  • @user3573370 I mean "does not show any research effort". – kapa May 14 '14 at 06:52
0

The PASSWORD() function is used by the authentication system in MySQL Server; you should not use it in your own applications. For that purpose, consider MD5() or SHA2() instead. Also see RFC 2195, section 2 (Challenge-Response Authentication Mechanism (CRAM)), for more information about handling passwords and authentication securely in your applications.

http://www.sitepoint.com/forums/showthread.php?761789-MYSQL-s-password()-function-or-md5()

Ramki
  • 519
  • 2
  • 9