Now, if you make a login system.. You want encryption for the users password, yes we all know. But thing is, if you encrypt it, such as with the md5() function algorithm, wouldn't that make it incorrect, if a user tries to login, and is trying to access his password which has now been encrypted. My problem is this, I try to encrypt passwords when registering, in the sql, and well, I go to login, and it gives me an error which I set, invalid password, please try again, well I know you cannot DECRYPT the password, so basically your account is stuck. :[
Would I just go by doing a base64 encryption? and then decrypt it?? Though that's a security risk it sounds, bleh.. Help with this please.
VillageIdiot can have my babbies ;d
Now, why would you want to do that? JS can be easily sniffed, so don't check passwords and other sensitive information through JS. You can MD5 the password from the script, or directly from the query if you need to:
SELECT id FROM users WHERE username='username' AND password=MD5('password')
I have optimistic thoughts, even though sometimes (if not always) life's a bitch.
The idea behind it is to use a salt with your passwords. You then MD5 the password using JS, send it to your PHP script, the PHP script then adds the salt and md5's the whole lot again, then compares it against your password table.
The theory being that the plain-text password is never transmitted across the internet.
Edit: Think of it this way, in my scenario, if someone sniffed the password, they would end up with an MD5 hash of it. They could then either try to match the hash until they found the original password, or brute force your script until they found the salt. In your scenario, if someone sniffed the password, they would end up with the plain-text password for the user.
Last edited by Alan @ CIT : 02-09-2008 at 08:31 AM.
Reason: Added usage scenario