A Flash Developer Resource Site

Results 1 to 4 of 4

Thread: Storing passwords and the data protection act..

  1. 11-01-2007, 04:54 AM #1
    SpockBert
    SpockBert is offline
    Running Plodding & Limping SpockBert's Avatar
    Join Date
    Jun 2002
    Location
    London
    Posts
    593

    Storing passwords and the data protection act..

    Can anyone solve this little problem for me?

    Got a growing database of usernames and passwords but I'm wondering if I'm breaking the data protection act by clearly being able to see the passwords of anyone who signs up.

    I'm tempted to to MD5 the passwords and have only the hashed value stored in the Db.

    Thats fine but what happens if the user requests a password reminder? How can you send a reminder if you don't store the password?

    Just wondering how most people store usernames and passwords, is there a standard way of doing this?
    Reply With Quote Reply With Quote
  2. 11-01-2007, 07:15 AM #2
    asheep_uk
    asheep_uk is offline
    Moonlight shadow asheep_uk's Avatar
    Join Date
    Dec 2001
    Location
    London
    Posts
    2,010
    You shouldn't be storing unencrypted passwords, just for security's sake.

    If somebody forgets their password, they confirm using their email address or date of birth (that's when the Data Protection Act comes in, but that's a different thread). Then you send them a new random one to their email address, which they can then change back to what they'd like.

    If you're using PHP, crypt is all you need for low-risk data – don't use it for financial things.
    Reply With Quote Reply With Quote
  3. 11-01-2007, 10:11 AM #3
    SpockBert
    SpockBert is offline
    Running Plodding & Limping SpockBert's Avatar
    Join Date
    Jun 2002
    Location
    London
    Posts
    593
    Ah cheers fella.

    Yeah that makes sense, so if their password was "smith"

    1 . You'd MD5 "smith" a few times and store only that in the DB.

    2. If they forgot their password you'd MD5 the stored one a bit more, trim it to say 8 chars then mail that back to them?

    will do that!

    Cheers!
    Reply With Quote Reply With Quote
  4. 11-01-2007, 11:47 AM #4
    Genesis F5
    Genesis F5 is offline
    Senior Member Genesis F5's Avatar
    Join Date
    Jan 2002
    Location
    Unallocated memory
    Posts
    1,845
    Yeah, I don't know any site that sends out the password anymore. If the user forgets their password, the system may generate a random character password, update the database with that, and then send the random password and give the user 'x' amount of time to change the password before the account is locked. All passwords are usually md5 encrypted (one pass should be fine, but you may want to salt it if the data is sensitive.).

    MD5 is a one way encryption algorithm, so you can't extract the original data. The only way to figure it out is to compare it to an MD5 encrypted string that's the same value.

    So, in PHP:

    md5('hello') == '5f4dcc3b5aa765d61d8327deb882cf99'; // TRUE;

    A MySQL column for MD5 data is usually a VAR/CHAR(32) datatype.
    [ welcome to flash kit ] [ forum rules ] [ footer rules ]
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules



Click Here to Expand Forum to Full Width

HTML5 Development Center