Hi,
I have noticed that some website do not use encryptiom for passwords as they are able to send you the existing password.
Others can only give you a new password, so I guess they are using encryption ( ? ).
Does it really matter ?
Can anybody look at my MySQL database and see the password if it is not encrypted ? Or is it only in transmission that it could be spied on ?
It seems much easier not to have encryption for access to simple membership sites. That way, if the is a problem, I can then log in as the member and see what they see. With encryption, I can not use their password to log-in so it restricts my trouble shooting options.
Any thoughts on this ?
Thanks.
.
4 1896 Atli 5,058
Recognized Expert Expert
Hey.
Passwords aren't really "encrypted". They are hashed. - That basically means the password is converted into a non-reversible string of characters that should (in theory) be unique to that password.
This is an extra layer of security, and privacy, in case your password database is compromised. It means that your user's passwords will not be clearly readable, even if somebody managed to hack their way into your databases. - It also protects your users from you; the database admin. - This may also be an invaluable protection on shared hosts, where you can not be sure who exactly has access to your database.
It's just one of those basic security features that is easy to implement and may prove invaluable. In my opinion, any site that does not implement this sort of protection has sub-par security, regardless of any other security they may use. (Although that opinion is highly debatable.)
It seems much easier not to have encryption for access to simple membership sites. That way, if the is a problem, I can then log in as the member and see what they see. With encryption, I can not use their password to log-in so it restricts my trouble shooting options.
That you should never do. You should never log in as another member. - If you need to do anything like that, you should add administrative tools that allow you to do so without having to actually use the user's login credentials.
Bottom line is that user passwords are highly private pieces of data. Even viewing it yourself for administrative tasks is an invasion of their privacy. -- Nobody except the user should be able to know their passwords, not even you. Hashing them, and discarding the original, ensures that.
Markus 6,050
Recognized Expert Expert
Well put, Atli.
P.S. I fixed a few typos for you :)
Thanks for your reply.
I appreciate your opinion.
If I hash the passwords though, I guess that it means I can not send the account owner their password in an email ... or can I ?
When my script sends the hashed password out to the owner, can the user see it in their browser as the password they need to enter ?
Thanks for any clarifications.
.
Atli 5,058
Recognized Expert Expert
No. You can not retrieve the password in any way. A hash is scrambled beyond recovery, so there is no way (in theory) to recover it. - If the user forgets his/her password, you would have to generate a new password and send him that, so he can log in and change it. @Markus
Thanks :)
Was test-driving IE8 (just for kicks xD)... no proper spell checker.
Sign in to post your reply or Sign up for a free account.
Similar topics |
by: Jay |
last post by:
Hi everybody !
I've used the "crypt()" function in PHP to save password of a user
logging in a web-based system. Based on a book that I've read (PHP
advanced by Larry UllMan), there is no way that we can recover
(decode) the password once it is encrypted.
Is there any other ways that I can still encrypt a password, save it
in the database and still able to see it later (instead of a string of
junk) ?
|
by: f_salazar |
last post by:
Im not goo writing in english, so here I go !
Public Shared Function Encriptar(ByVal cleanString As String) As String
Dim clearBytes As ()
clearBytes = New UnicodeEncoding().GetBytes(cleanString)
Dim hashedBytes As () = CType(CryptoConfig.CreateFromName("MD5"),
HashAlgorithm).ComputeHash(clearBytes)
Dim hashedText As String = BitConverter.ToString(hashedBytes)
Return hashedText
End Function
|
by: Andrzej |
last post by:
Hi,
I have to figure out why we have a problem with special characters in
encrypted usernames and passwords.
Case:
Username: r&bgeorge
Password: tigger
|
by: Bernard Dhooghe |
last post by:
The information center writes:
"Encryption Algorithm: The internal encryption algorithm used is RC2
block cipher with padding, the 128-bit secret key is derived from the
password using a MD2 message digest.
"
and also explains how the length of the encrypted column can be
derived.
|
by: shamirza |
last post by:
· What is view state and use of it?
The current property settings of an ASP.NET page and those of any
ASP.NET server controls contained within the page. ASP.NET can detect
when a form is requested for the first time versus when the form is
posted (sent to the server), which allows you to program accordingly.
· What are user controls and custom controls?
Custom controls:
A control authored by a user or a third-party software vendor that...
| |
by: Earl |
last post by:
I'm adding password encryption to the Employees form. I have a
strongly-typed dataset being used as the datasource for the
EmployeesBindingSource, and the Employees table set as the datamember. All
controls on the form are bound to the EmployeesBindingSource. Except for the
password ...
I set up separate handlers for the Password and bind this control manually
when I New() the form:
Private Sub BindPasswordControl()
|
by: Ben |
last post by:
Hello, I'll bet this has been asked a million times but I can't seem to find
a thread that gives the clear example I need.
This PC has MySQL and IIS configured and running. The MySQL database is
"myDB" with a table "myUsers" with fields "Username" and "Password". I also
have the MySQL ODBC driver loaded with a DSN "dsnMySQL" setup.
First question is can someone direct me to a site or provide a sample code
for a login page that...
|
by: melon |
last post by:
I need to store some password on a text file. I was trying to use
some kind of encryption to encrypt the password from plain text. I
found the code below off the web, which works great.
But the problem is, I need to specify both the "password" (which is an
encryption key I assume) and the salt. What will be the best way to
generate and store them? Right now I just hard code the key and salt,
but I am concerned about the security.
...
|
by: Jon.Hakkinen |
last post by:
Hi all,
I'm on DB2 9.5 fp 0 on Windows.
I have a simple SQL stored procedure which uses the Encrypt() function
to insert data in a table.
I do not set the encryption password inside the procedure, I plan to
issue an Set Encryption statement at the beginning of every database
session from our middle layer.
But for now I use clp or db2ce to run something like
|
by: topher23 |
last post by:
I've seen a lot of questions about how to make secure database passwords. I'm going to go over a method of encrypting a password using the MD5 encryption algorithm for maximum security.
First, you will need to download the attached class module (clsMD5.txt) and import it into your database. This class module is the core of what we're about to go over. Thanks to Robert Hubley for writing it - you're my hero!
Next, your database needs a...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
| |
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| |
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |