Friends,
I have one question - How to store passwords in MySQL database table in a
secure way so that no one can see the password(understand the password
string)?
Please
Thanks
CPK

--
Keep your Environment clean and green.

Use MD5 function to encrypt the password column

C K wrote:
> Friends,
> I have one question - How to store passwords in MySQL database table in a
> secure way so that no one can see the password(understand the password
> string)?
> Please
> Thanks
> CPK
>
>


--
Yoge,
AdventNet, Inc.
925-965-6528
yogendrav@adventnet.com
site24x7.com

C K wrote:
> Friends,
> I have one question - How to store passwords in MySQL database table in a
> secure way so that no one can see the password(understand the password
> string)?
> Please
> Thanks
> CPK
>
>
mysql> create table test01 (pass varchar(32));
Query OK, 0 rows affected (0.00 sec)

mysql> insert into test01 values (md5('textpassword'));
Query OK, 1 row affected (0.01 sec)

mysql> select * from test01;
+----------------------------------+
| pass |
+----------------------------------+
| d1c7e2c37b0bb7d92548ac5594d00315 |
+----------------------------------+
1 row in set (0.00 sec)


The md5 function encrypts the input string.

---------
With Warm Regards,
Sudheer. S
www.binaryvibes.co.in
www.lampcomputing.com

Thanks to all,
but the problem is that I am using external programs to insert data and I
can't use MySQL functions directly. Can I call/implement such type of
functions using MS Access 2003?
Thanks
CPK


>
>
> The md5 function encrypts the input string.
>
> ---------
> With Warm Regards,
> Sudheer. S
> www.binaryvibes.co.in
> www.lampcomputing.com
>
>


--
Keep your Environment clean and green.

On Sat, August 18, 2007 15:53, C K wrote:
> Thanks to all,
> but the problem is that I am using external programs to insert data and I
> can't use MySQL functions directly. Can I call/implement such type of
> functions using MS Access 2003?

MD5() is not an encryption function. The MySQL manual states:

<QUOTE>

MD5(str)

Calculates an MD5 128-bit checksum for the string. The value
is returned as a binary string of 32 hex digits, or NULL if
the argument was NULL. The return value can, for example,
be used as a hash key.

mysql> SELECT MD5('testing');
-> 'ae2b1fca515949e5d54fb22b8ed95575'

This is the “RSA Data Security, Inc. MD5 Message-Digest Algorithm.�

</QUOTE>


You might want to look at ENCODE() and DECODE() functions. Again from the manual:

<QUOTE>

DECODE(crypt_str,pass_str)

Decrypts the encrypted string crypt_str using pass_str as
the password. crypt_str should be a string returned from ENCODE().

ENCODE(str,pass_str)

Encrypt str using pass_str as the password.
To decrypt the result, use DECODE().

The result is a binary string of the same length as str.

The strength of the encryption is based on how good the random
generator is. It should suffice for short strings.

</QUOTE>

These are all functions you use in your sql statement, so yes. They can be
used in MS Access.

--
Later

Mogens Melander
+45 40 85 71 38
+66 870 133 224



--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

But you can use it for passwords (ask Unix)...

You can't decode what the original password was, but you can encode the
password they typed in and check the two hashes match - if they do - the
chances are that the original passwords match (the odds against are huge!)




On Saturday 18 August 2007 16:19, Mogens Melander wrote:

> MD5() is not an encryption function. The MySQL manual states:
>

--
Mike Aubury

Aubit Computing Ltd is registered in England and Wales, Number: 3112827
Registered Address : Murlain Business Centre, Union Street, Chester, CH1 1QP

On Sat, August 18, 2007 20:17, Mike Aubury wrote:
> But you can use it for passwords (ask Unix)...
>
> You can't decode what the original password was, but you can encode the
> password they typed in and check the two hashes match - if they do - the
> chances are that the original passwords match (the odds against are huge!)

Well, i got the impression that OP wanted to retrieve the cleartext
string, but i could be wrong.

> On Saturday 18 August 2007 16:19, Mogens Melander wrote:
>
>> MD5() is not an encryption function. The MySQL manual states:
>>

--
Later

Mogens Melander
+45 40 85 71 38
+66 870 133 224



--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Hi,

What are those external programs? If you are using a scripting language
like PHP to insert data, you can still use all the MySQL functions in
your query statements. I'm not sure how this is related to MS Access 2003.

With Warm Regards,
Sudheer. S
www.binaryvibes.co.in
www.lampcomputing.com


C K wrote:
> Thanks to all,
> but the problem is that I am using external programs to insert data and I
> can't use MySQL functions directly. Can I call/implement such type of
> functions using MS Access 2003?
> Thanks
> CPK
>
>
>
>> The md5 function encrypts the input string.
>>
>> ---------
>> With Warm Regards,
>> Sudheer. S
>> www.binaryvibes.co.in
>> www.lampcomputing.com
>>
>>
>>
>
>
>

On 8/18/07, C K <shreeseva.it@gmail.com> wrote:

> Friends,
> I have one question - How to store passwords in MySQL database table in a
> secure way so that no one can see the password(understand the password
> string)?


It is considered bad security practice to store passwords using reversible
encryption. The issue is that users tend to choose the same passwords
across different computing systems, as well as personal e-mail and banking
accounts.

The most common method is to keep a string, known only to the server, that
is used to generate the MD5 or SHA1 hash actually stored. The stored
value is then generated using something like:

MD5(CONCAT(server_string, user_password, server_string))

In order to be able to mount some kind of an attack other than brute force,
an attacker would need to also have the server_string.

The disadvantage of using only the user password for the MD5 is that it
lends itself to a dictionary attack. So, a bit of randomness thrown in is
ful.

http://en.wikipedia.org/wiki/Dictionary_attack

As another poster pointed out, the probability of two different passwords
having the same hash is remote. Using the SHA1 (160 bits) as an example,
and assuming about 64 different characters (6 bits) available for passwords,
the SHA1 is about 26 characters of information. Remote.

Dave.

If you can't access functions directly, you could implement a trigger
on that row to intercept the password as it being written and do your
MD5 encoding there.

- michael


On 8/18/07, C K <shreeseva.it@gmail.com> wrote:
> Thanks to all,
> but the problem is that I am using external programs to insert data and I
> can't use MySQL functions directly. Can I call/implement such type of
> functions using MS Access 2003?
> Thanks
> CPK
>
>
> >
> >
> > The md5 function encrypts the input string.
> >
> > ---------
> > With Warm Regards,
> > Sudheer. S
> > www.binaryvibes.co.in
> > www.lampcomputing.com
> >
> >
>
>
> --
> Keep your Environment clean and green.
>


--
- michael dykman
- mdykman@gmail.com

- All models are wrong. Some models are useful.

Hello all.

I noticed that the last entry in mysql error log was two weeks ago. Can
some one tell me why mysql is not writing to this log

********************************************
This message is intended only for the use of the Addressee and
may contain information that is PRIVILEGED and CONFIDENTIAL.

If you are not the intended recipient, you are hereby notified
that any dissemination of this communication is strictly prohibited.

If you have received this communication in error, please erase
all copies of the message and its attachments and notify us
immediately.

Thank you.
********************************************

Have you had any errors in the last 2 weeks? Have you restarted your
server in the last 2 weeks? Your problem might just be a symptom of
no problem at all.

- michael

On 8/20/07, Brown, Charles <CBrown@bmi.com> wrote:
> Hello all.
>
> I noticed that the last entry in mysql error log was two weeks ago. Can
> some one tell me why mysql is not writing to this log
>
> ********************************************
> This message is intended only for the use of the Addressee and
> may contain information that is PRIVILEGED and CONFIDENTIAL.
>
> If you are not the intended recipient, you are hereby notified
> that any dissemination of this communication is strictly prohibited.
>
> If you have received this communication in error, please erase
> all copies of the message and its attachments and notify us
> immediately.
>
> Thank you.
> ********************************************
>


--
- michael dykman
- mdykman@gmail.com

- All models are wrong. Some models are useful.

A common issue a lot of people have is this

rm logfile

if the mysql server is still accessing that file it will not continue to
write to that file again till mysql is restarted

if that was the case the proper way to clear a log and keep the server
running is

cp /dev/null logfile

On 8/20/07, Brown, Charles <CBrown@bmi.com> wrote:
>
> Hello all.
>
> I noticed that the last entry in mysql error log was two weeks ago. Can
> some one tell me why mysql is not writing to this log
>
> ********************************************
> This message is intended only for the use of the Addressee and
> may contain information that is PRIVILEGED and CONFIDENTIAL.
>
> If you are not the intended recipient, you are hereby notified
> that any dissemination of this communication is strictly prohibited.
>
> If you have received this communication in error, please erase
> all copies of the message and its attachments and notify us
> immediately.
>
> Thank you.
> ********************************************
>
> --
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe: http://lists.mysql.com/mysql?unsub=hijinks@gmail.com
>
>