470,817 Members | 1,345 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 470,817 developers. It's quick & easy.

password encode and decode ?

Jay
Hi everybody !

I've used the "crypt()" function in PHP to save password of a user
logging in a web-based system. Based on a book that I've read (PHP
advanced by Larry UllMan), there is no way that we can recover
(decode) the password once it is encrypted.

Is there any other ways that I can still encrypt a password, save it
in the database and still able to see it later (instead of a string of
junk) ?

PS: the reason I am writing this question is because I like to write a
feature that will e-mail the user his/her password to his/her e-mail
if he/she doesn't remember the password to log in the system.

Any help would be greatly appreciated !!!!

Jay
Jul 17 '05 #1
9 10155
Jay wrote:
Is there any other ways that I can still encrypt a password, save it
in the database and still able to see it later (instead of a string of
junk) ?

PS: the reason I am writing this question is because I like to write a
feature that will e-mail the user his/her password to his/her e-mail
if he/she doesn't remember the password to log in the system.


Instead of mailing the current password, create a new random password
and save it encrypted to the database.

When the user next logs on, he will be able to change the password to
something s/he likes better.

--
USENET would be a better place if everybody read: : mail address :
http://www.catb.org/~esr/faqs/smart-questions.html : is valid for :
http://www.netmeister.org/news/learn2quote2.html : "text/plain" :
http://www.expita.com/nomime.html : to 10K bytes :
Jul 17 '05 #2
If you can decrypt it, then what would be the point of encrypting it.

If your user forgets their password, set a new one, send an email to the
email address you have stored for them, request they login with the new
password and change it.

You can either send the new password in plain text or follow a link from the
email which will auto log them in.
"Jay" <ar********@yahoo.com> wrote in message
news:56*************************@posting.google.co m...
Hi everybody !

I've used the "crypt()" function in PHP to save password of a user
logging in a web-based system. Based on a book that I've read (PHP
advanced by Larry UllMan), there is no way that we can recover
(decode) the password once it is encrypted.

Is there any other ways that I can still encrypt a password, save it
in the database and still able to see it later (instead of a string of
junk) ?

PS: the reason I am writing this question is because I like to write a
feature that will e-mail the user his/her password to his/her e-mail
if he/she doesn't remember the password to log in the system.

Any help would be greatly appreciated !!!!

Jay

Jul 17 '05 #3
If you want details of a reversible encryption routine for PHP then take a
look at http://www.tonymarston.net/php-mysql/encryption.html.

--
Tony Marston

http://www.tonymarston.net
"Jay" <ar********@yahoo.com> wrote in message
news:56*************************@posting.google.co m...
Hi everybody !

I've used the "crypt()" function in PHP to save password of a user
logging in a web-based system. Based on a book that I've read (PHP
advanced by Larry UllMan), there is no way that we can recover
(decode) the password once it is encrypted.

Is there any other ways that I can still encrypt a password, save it
in the database and still able to see it later (instead of a string of
junk) ?

PS: the reason I am writing this question is because I like to write a
feature that will e-mail the user his/her password to his/her e-mail
if he/she doesn't remember the password to log in the system.

Any help would be greatly appreciated !!!!

Jay

Jul 17 '05 #4
Jay
Thanks for everybody's helps !!!

I got the idea !

Jay
Jul 17 '05 #5
Just to say... If you guys really want to learn about programming from a
'real' programmer please visit the Tony Marton site.

Thanks a lot Tony

"Tony Marston" <to**@NOSPAM.demon.co.uk> wrote in message
news:c7*******************@news.demon.co.uk...
If you want details of a reversible encryption routine for PHP then take a
look at http://www.tonymarston.net/php-mysql/encryption.html.

--
Tony Marston

http://www.tonymarston.net
"Jay" <ar********@yahoo.com> wrote in message
news:56*************************@posting.google.co m...
Hi everybody !

I've used the "crypt()" function in PHP to save password of a user
logging in a web-based system. Based on a book that I've read (PHP
advanced by Larry UllMan), there is no way that we can recover
(decode) the password once it is encrypted.

Is there any other ways that I can still encrypt a password, save it
in the database and still able to see it later (instead of a string of
junk) ?

PS: the reason I am writing this question is because I like to write a
feature that will e-mail the user his/her password to his/her e-mail
if he/she doesn't remember the password to log in the system.

Any help would be greatly appreciated !!!!

Jay


Jul 17 '05 #6
Pedro Graca <he****@hotpop.com> wrote in message news:<c7************@ID-203069.news.uni-berlin.de>...
Jay wrote:
<snip>
Instead of mailing the current password, create a new random password
and save it encrypted to the database.


I vouch Pedro and it is the good practice. If the passwords can be
decrypted, you _may_ not be able to get privacy certifications for
example <http://www.truste.org/>

--
| Just another PHP saint |
Email: rrjanbiah-at-Y!com
Jul 17 '05 #7
You are missing the point. These passwords are encrypted when being written
to the database and have nothing to do with encrypting passwords between the
client browser and the server. As both the database and PHP are server-side,
not client-side, it does not matter what encryption algorithm it uses, or if
it offers a decryption routine. These passwords are only visible to people
who have access to the database on the server, but if these passwords are
encrypted then that is an extra level of security at the server end.

--
Tony Marston

http://www.tonymarston.net

"R. Rajesh Jeba Anbiah" <ng**********@rediffmail.com> wrote in message
news:ab**************************@posting.google.c om...
Pedro Graca <he****@hotpop.com> wrote in message

news:<c7************@ID-203069.news.uni-berlin.de>...
Jay wrote:


<snip>
Instead of mailing the current password, create a new random password
and save it encrypted to the database.


I vouch Pedro and it is the good practice. If the passwords can be
decrypted, you _may_ not be able to get privacy certifications for
example <http://www.truste.org/>

--
| Just another PHP saint |
Email: rrjanbiah-at-Y!com

Jul 17 '05 #8
[Top-post fixed]

"Tony Marston" <to**@NOSPAM.demon.co.uk> wrote in message news:<c7*******************@news.demon.co.uk>...
"R. Rajesh Jeba Anbiah" <ng**********@rediffmail.com> wrote in message
news:ab**************************@posting.google.c om...
I vouch Pedro and it is the good practice. If the passwords can be
decrypted, you _may_ not be able to get privacy certifications for
example <http://www.truste.org/>

You are missing the point. These passwords are encrypted when being written
to the database and have nothing to do with encrypting passwords between the
client browser and the server. As both the database and PHP are server-side,
not client-side, it does not matter what encryption algorithm it uses, or if
it offers a decryption routine. These passwords are only visible to people
who have access to the database on the server, but if these passwords are
encrypted then that is an extra level of security at the server end.


I was talking about the privacy and the right practice... If the
encrypted password that is stored in db can be decrypted by the site
admin, you lose your privacy. For the right privacy requirement, your
password should not be accessible/decrypted *even* by the site admin.

--
| Just another PHP saint |
Email: rrjanbiah-at-Y!com
Jul 17 '05 #9
Tony Marston <to**@nospam.demon.co.uk> wrote:
You are missing the point. These passwords are encrypted when being
written to the database and have nothing to do with encrypting
passwords between the client browser and the server. As both the
database and PHP are server-side, not client-side, it does not matter
what encryption algorithm it uses, or if it offers a decryption
routine.
This is not what the OP was asking about. He was clearly asking how to
decrypt a password inorder to sent it by email to a user.
These passwords are only visible to people who
have access to the database on the server, but if these passwords are
encrypted then that is an extra level of security at the server end.


Sending a decrypted password to users adds extra vulnerabilities, a user
might have the same password on other systems. So if someone can fool
the application to send the old password it's potentially more dangerous
than sending a new random password.

--

Daniel Tryba

Jul 17 '05 #10

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

4 posts views Thread by Lobang Trader | last post: by
1 post views Thread by Damir Hakimov | last post: by
1 post views Thread by AR | last post: by
20 posts views Thread by _mario.lat | last post: by
6 posts views Thread by 7stud | last post: by
1 post views Thread by anonymous | last post: by
reply views Thread by mihailmihai484 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.