Results 1 to 8 of 8
  1. #1
    Join Date
    Jan 2012
    Posts
    91

    Unanswered: How to compare the password stored in the database?

    I found a function that encrypts the password:
    Code:
    SELECT PASSWORD('password');
    and stores it in binary string: *EE0804DDC2CC3E85A47191ECCCBA29B775DFFA77
    I do not know which function to use to decrypt the binary string and compare it with user password. Thanks.

  2. #2
    Join Date
    Nov 2004
    Location
    out on a limb
    Posts
    13,692
    Provided Answers: 59
    insert the encrypted password into the database using the password() function
    then when checking for authentication match using a where clause using the same function

    when inserting or updating
    Code:
    INSERT INTO MyTable (userid,passwd) VALUES ('duf', password(mypasswordvariable)
    Code:
     UPDATE MyTable set passwd = password(mypasswordvariable)
    to match password
    Code:
    Select my, column, list FROM MyTable
    WHERE userid = 'myuseridvariable'
    AND passwd = password(mypasswordvariable)
    if you have rows returned then the passwords match
    if you have no rows returned then there is no password match for that userid
    I'd rather be riding on the Tiger 800 or the Norton

  3. #3
    Join Date
    Jan 2012
    Posts
    91
    Return or not return ;-). Thank You.
    "PASSWORD() is a strictly one-way encryption: there’s no way to programatically deduct the original password from the string"
    What function() should i use to work with password in two ways?
    Last edited by duf; 09-20-12 at 08:18.

  4. #4
    Join Date
    Nov 2004
    Location
    out on a limb
    Posts
    13,692
    Provided Answers: 59
    y'don't
    you compare the stored encrypted password with the user input encrypted using the same function

    do you don't compare the plaintext password at all, you compare the encrypted passwords. the theory is that if your db is compromised then a scumbag, sorry hacker/cracker cannot get access to the password.

    or you don't use the MySQL function and instead use the front end to encrypt the password and then store it as encrypted.

    you don't EVER store plaintext passwords
    you don't need to know plaintext passwords, as you compare the stored encrypted password with the user supplied password that is encrypted using the same algorythm.
    Last edited by healdem; 09-20-12 at 08:55.
    I'd rather be riding on the Tiger 800 or the Norton

  5. #5
    Join Date
    Jan 2012
    Posts
    91
    That is right. But I want to get password to application window like:

    Password: ****

    So I need to have access to the password having the same number of characters. Function PASSWORD() generates almost 50 characters string. How does this work?

  6. #6
    Join Date
    Nov 2004
    Location
    out on a limb
    Posts
    13,692
    Provided Answers: 59
    In which case use some other function which allows two way encryption/decryption but accept that you are compromising your security regime if someomne looks at your code and discovers the encryption seed value

    if you 'must' show the number of characters in the password then continue to use a one way encryption function but store the length of the unecrypted password and use that value. however thats not considered a 'smart' call as it potetnially gives a cracher/hacker something to work with.. instead of your password being unknown a scumbag now knows how many characters to play with.
    I'd rather be riding on the Tiger 800 or the Norton

  7. #7
    Join Date
    Jan 2012
    Posts
    91
    I see. Thanks a lot.

  8. #8
    Join Date
    Mar 2004
    Posts
    480
    1) don't use PASSWORD to store passwords in a regular database in mysql, this is because PASSWORD is the hash that is used to store mysql user passwords in the system and the algorithm may change from time to time (like it did in mysql 4.0 i believe). Use MD5 or SH1 or SH2 for encrypting your password

    2) i'm guessing you don't need the specific number of characters in the front end application only you mean to have it show as ***** when the user types it in. That would be handled by the front end application. in an HTML form for example, you would use TYPE=PASSWORD for that field and it would show the password when typed as *****. Depending on the front end you are using there are likely similar tools to obscure the password to the user.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •