[ciapug] md5 function
david l goodrich
dlg at dsrw.org
Mon Apr 16 13:07:55 CDT 2007
On Mon, April 16, 2007 12:55 pm, carl-olsen at mchsi.com wrote:
> I’m using md5 to encrypt passwords in MySQL. There are two stages to
> this. The first stage is when the user types their password into a form
> input text field in their browser and submits the page to the remote
> server. After the page submits, the password is retrieved as one of the
> $_POST array variables and converted to the md5 32-character version and
> then used in an SQL statement to either add, update, or check the database
> for a match.
>
> I can see how this makes the connection to the database more secure, but
> it still gets posted from the client to the server as a plain text
> password. The client is sitting at their computer 10 miles away from the
> server and they submit their password as plain text. What makes that any
> more secure than the round trip from the web server to the database?
>
> This has always confused me. It seems like the md5 function isn’t really
> doing much.
>
> It seems like the only solution is to use https any time you have a
> password field in a form. Is that correct?
That is correct. https protects the data in transit.
Storing the password in a one-way hash (preferably with salting) protects
the data at rest.
--david
>
> Carl Olsen
> Des Moines, IA
> _______________________________________________
> ciapug mailing list
> ciapug at cialug.org
> http://cialug.org/mailman/listinfo/ciapug
>
More information about the ciapug
mailing list