views:

166

answers:

4

Hello guys,

today there was a big problem i got wile programming on my newest project. I have to save the Users Email-passwords in my system ( php + mysql ).

I do it now this way: alt text

Is this secure? And when not what is a better way to do it?

greetz from white Vienna Dom

+1  A: 

Sounds good to me :) Since you don't store the actual password but a salted hash this approach should be secure.

@lutz, deleted my answer, tx for your comment
Peter
+5  A: 

Salted hashes are one of the better ways of dealing with 'storing' passwords (you're not really storing it as such). Note that the password is unrecoverable, so your app should cater for this by having a 'reset password' function.

Wim Hollebrandse
the problem is that i need the plain pw from the mail account. so that i can login into the mail acc an check the mailsgreetz
Dominik K.
why are you logging into other peoples' mail accounts and reading their mails?
zaphod
I am not loggin into other peoples accounts but they will log into multiple of their accounts!!!
Dominik K.
+2  A: 

I'd recommand to use hmac with a random, long generated salt. The salt helps user who uses passwords like "a" and hmac prevents length-extension attacks.

Arkh
+1  A: 

only store the hashed salted password. this is essentially the only really secure way, in my opinion. encrypted passwords can be decrypted, hashed salted passwords need to be brute-forced.

function salt_password($password)
{
  $salt_1 = '7a@#!P^@29g';
  $salt_2 = 'mw3*@~2%21mD';
  //whatever random nonesense you can come up with

  return sha1($salt_1.$password.$salt_2);
}

function store_password($user,$password)
{
 $password = salt_password($password);

 //insert username and password in whatever table;
}

function login($user,$password)
{
 //select username and password info from db

 if(salt_password($password) == $selected_password_from_db))
 {
   return true;
 }
 else
 {
   return false
 }
}
zaphod
hello,i need to encrypt extern passwords. like from email accounts.greetz
Dominik K.