473,689 Members | 2,822 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

encrypted password problem

Hello
I would like to query the user table of the mysql database from my VB
application to check that a user's password entered in a text field on a
form corresponds to that users password in the mysql database. However, when
I retreive the password using an sql statement into a recordset, it is
encrypted. How can I decrypt it so I can make the comparison.
Ian
Nov 7 '05 #1
6 7516
>I would like to query the user table of the mysql database from my VB
application to check that a user's password entered in a text field on a
form corresponds to that users password in the mysql database. However, when
I retreive the password using an sql statement into a recordset, it is
encrypted. How can I decrypt it so I can make the comparison.


You DON'T. The encryption wouldn't be worth much if you could.
Try encrypting the password entered and see if the result matches
what's in the database.

Gordon L. Burditt
Nov 7 '05 #2
Ian Davies wrote:
Hello
I would like to query the user table of the mysql database from my VB
application to check that a user's password entered in a text field on a
form corresponds to that users password in the mysql database. However, when
I retreive the password using an sql statement into a recordset, it is
encrypted. How can I decrypt it so I can make the comparison.


We should never decrypt passwords stored in a database. Instead, we
should encrypt the string that a user enters, and then check if that
encrypted string matches the encrypted string that is in the database.

This way we never write code that can read a user's password from the
database. There is always a slim possibility that a bug in our code
might allow the wrong person to read that password. The best way to be
safe is never to write any code that can decrypt a password.

Password-encryption functions are normally one-way. That is, there is
no way to get the original string from the encrypted string. This is
preferable because one-way encryption is more secure, and for reasons
above, there's no need for code to decrypt the password.

Regards,
Bill K.
Nov 7 '05 #3
I thought maybe that was the case
I presume that using the PASSWORD() function would encrypt my string so I
could compare
I didnt realise that the encryption would be the same each time

My problen now is that the string input by the user is in my VB application
and VB doesnt recognise PASSWORD().
How can I get mysql to encrypt the string from withing VB?
Ian

"Gordon Burditt" <go***********@ burditt.org> wrote in message
news:11******** *****@corp.supe rnews.com...
I would like to query the user table of the mysql database from my VB
application to check that a user's password entered in a text field on a
form corresponds to that users password in the mysql database. However, whenI retreive the password using an sql statement into a recordset, it is
encrypted. How can I decrypt it so I can make the comparison.


You DON'T. The encryption wouldn't be worth much if you could.
Try encrypting the password entered and see if the result matches
what's in the database.

Gordon L. Burditt

Nov 8 '05 #4
Ian Davies (ia********@vir gin.net) wrote:
: I thought maybe that was the case
: I presume that using the PASSWORD() function would encrypt my string so I
: could compare
: I didnt realise that the encryption would be the same each time

: My problen now is that the string input by the user is in my VB application
: and VB doesnt recognise PASSWORD().
: How can I get mysql to encrypt the string from withing VB?

by using password().

For example (not tested, syntax likely wrong)

select
user_name ,
users_encrypted _password,
password($claim ed_password) as claimed_passwor d
from
all_users
where
user_name = $the_user_name

VB runs the above query and gets back a result. Examine the values in the
result set to see if there is such a user, and then compare the columns
users_encrypted _password with claimed_passwor d to see if the password was
correct.

You can also get the encrypted value for use within VB using something
like

select password($claim ed_password);

as above, you run that just like you run any other query from within VB
and get back a result set containing the calculated value.
--

This programmer available for rent.
Nov 8 '05 #5
Ian Davies wrote:
My problen now is that the string input by the user is in my VB application
and VB doesnt recognise PASSWORD().
How can I get mysql to encrypt the string from withing VB?


SELECT PASSWORD("strin g");

You can also do this:

SELECT IF(PASSWORD("st ring") = encryptedPasswo rdField, 1, 0) AS
password_is_cor rect
FROM tableStoringPas swords;

By the way, you should be aware of issues related to using the
PASSWORD() function in MySQL. Read the entry about PASSWORD() on this
web page: http://dev.mysql.com/doc/refman/5.0/...functions.html

"Note: The PASSWORD() function is used by the authentication system in
MySQL Server; you should not use it in your own applications. For that
purpose, use MD5() or SHA1() instead. Also see RFC 2195 for more
information about handling passwords and authentication securely in your
applications."

The recommendation against using MySQL's PASSWORD function for your
applications is that they can change the algorithm between versions of
MySQL (e.g. between 4.0 and 4.1 the encryption algorithm changed). That
could cause your application to break as you upgrade the MySQL software,
and the only solution would be to reset all your users' passwords, and
tell each user to go change their password.

I use MD5() when I need application-specific password encryption.

Regards,
Bill K.
Nov 8 '05 #6

By the way, you should be aware of issues related to using the
PASSWORD() function in MySQL. Read the entry about PASSWORD() on this
web page: http://dev.mysql.com/doc/refman/5.0/...functions.html

"Note: The PASSWORD() function is used by the authentication system in
MySQL Server; you should not use it in your own applications. For that
purpose, use MD5() or SHA1() instead. Also see RFC 2195 for more
information about handling passwords and authentication securely in your
applications."

The recommendation against using MySQL's PASSWORD function for your
applications is that they can change the algorithm between versions of
MySQL (e.g. between 4.0 and 4.1 the encryption algorithm changed). That
could cause your application to break as you upgrade the MySQL software,
and the only solution would be to reset all your users' passwords, and
tell each user to go change their password.

I use MD5() when I need application-specific password encryption.


Thanks Bill

re the above. I read this, but assumed that, as the mysql database
containing the user table encrypts the passwords in it using PASSWORD() and
I need to check my users input in VB against it I would therefore need to
use the same encryption on my string from VB in order for the comparing of
the two to work (or is that not the case?).
I thought about better encryption using the other functions and using my own
encrypted table of passwords and building my own security system into my app
but the extra work, and the fact that the data is not that sensitive (just
school kids test results) I thought I'd stick to what mysql supplies.

Ian
Again thanks all for the quick responses, will look into them tomorrow
Nov 8 '05 #7

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

10
5482
by: sffan | last post by:
I am new to database programming and was curious how others solve the problem of storing encrypted in data in db table columns and then subsequently searching for these records. The particular problem that I am facing is in dealing with (privacy) critical information like credit-card #s and SSNs or business critical information like sales opportunity size or revenue in the database. The requirement is that this data be stored encrypted...
2
6008
by: Jill Elaine | last post by:
I am building an Access 2002 frontend with linked tables to an encrypted Paradox 7 database. When I first create these linked tables, I'm asked for the password to the encrypted Paradox database, and the linked tables are successfully created. I use the data from these linked tables in several forms. All works great until I close the Access frontend and open it again. When I try to use the forms, I get an error message: "Could not...
2
2240
by: Roland Riess | last post by:
Hi NG, I don't know if I'm just missing the forest through the trees, or if it is really that complicated: I want to save a password that is entered/changed through a text control in a form. The control is bound to a dataset and the password shall be stored as an encrypted text in the database. I first tried to control the en- and decryption in the textbox's Format
8
2774
by: robert | last post by:
Hello, I want to put (incrementally) changed/new files from a big file tree "directly,compressed and password-only-encrypted" to a remote backup server incrementally via FTP,SFTP or DAV.... At best within a closed algorithm inside Python without extra shell tools. (The method should work with any protocol which allows somehow read, write & seek to a remote file.) On the server and the transmission line there should never be...
5
6770
by: Michael Sperlle | last post by:
Is it possible? Bestcrypt can supposedly be set up on linux, but it seems to need changes to the kernel before it can be installed, and I have no intention of going through whatever hell that would cause. If I could create a large file that could be encrypted, and maybe add files to it by appending them and putting in some kind of delimiter between files, maybe a homemade version of truecrypt could be constructed. Any idea what it...
2
7687
by: Bernard Dhooghe | last post by:
The information center writes: "Encryption Algorithm: The internal encryption algorithm used is RC2 block cipher with padding, the 128-bit secret key is derived from the password using a MD2 message digest. " and also explains how the length of the encrypted column can be derived.
0
1915
by: danishce | last post by:
I want to generate 8 byte key using CBC MAC by applying encryption to whole message in vb.net.My code is: //Main form Code Imports System.Security.Cryptography Dim plainText As String Dim cipherText As String Dim passPhrase As String Dim saltValue As String Dim hashAlgorithm As String
5
6095
by: Shmuel | last post by:
Hello, Is it possible to give to mysql_connect an encrypted (md5 or sha1) password? If not is there a workaround? I store passwords for users in database and don't want to use plain text passwords. Then I use that information to connect to the database. So every user have his own database.
4
6895
n8kindt
by: n8kindt | last post by:
i'm trying to create a secure scenario where no one will be able to know our encrypted database passcode. BUT if they login to a form in another database successfully, it will open the encrypted database and systematically plug in the passcode thru vba (kind of like a user on a website logging into a secure SQL database i suppose). i may be going about this whole situation completely wrong but here is what i have for the code that i need to...
0
8594
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
8528
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
9076
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
8947
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
8783
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
7621
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
0
4321
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
2
2219
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
3
1952
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.