I'm looking at adding a Salt number to our user password table. We are saving the user passwords hashed as SHA256.
My question is would using the number generated from Mysql's UUID_SHORT() function for example '23154192415719433' be sufficient for a password salt?
So in my database the password 'Test123' would normally stored as 'd9b5f58f0b38198293971865a14074f59eba3e82595becbe86ae51f1d9f1f65e' by calling
SELECT SHA2('Test123', 256)
Will now be stored as 'e5e7b87ba899a6f9ad8f8e68e0b209b6923e546df70b8e4a47f996533827bce1'
SELECT SHA2('23154192415719433Test123', 256)
Seeing as UUID_SHORT() returns a random 64-bit value, and SHA256 uses 256-bit encryption, you would be better off calling UUID_SHORT() four times and concatenating it as a binary value.
I expect that what you want is to
SELECT SHA2('password', 256)
give you always the same result which you can store/compare.
UUIS_SHORT() does not return the same values after each invocation so store your passwords as hash as usual. What you can do to make it better is:
SELECT SHA2(CONCAT('password','some junk known only to you'),256)
You do need anything else.
Related
I have this code:
CREATE TABLE Person
(
primaryKey int unsigned NOT NULL,
emailAddress mediumblob NOT NULL
);
What attribute (like NOT NULL) can I use so that the emailAddress would be encrypted?
I would greatly appreciate the help. I tried encrypt() but that's giving me errors.
if you looking to encrypt data where you can decrypt it later then you should use ES_ENCRYPT() AND AES_DECRYPT()
According to the Manual
AES_ENCRYPT() encrypts a string and returns a binary string. AES_DECRYPT() decrypts the encrypted string and returns the original string. .
MySQL 5.1 Doc: AES_ENCRYPT() / AES_DECRYPT()
you can use it like this
INSERT INTO table (email)VALUES(AES_ENCRYPT('myemail', 'secrectkey' ))
to read the data that is encrypted you can do this
SELECT AES_DECRYPT(email, 'secrectkey' ) FROM table
where secrectkey is really a secret value that only authorized users should have access to
But if you are looking for hashing "a one way hash that can't be read back in plain text" you can use one of the following functions
MD5('myemail');
OR
PASSWORD('myemail');
OR
SHA1('myemail');
Then your table length depends on the encryption method you use. you can use VARCHAR() if the length of your encrypted message changes. If you know that you will be using fixed length I would use CHAR(exact_length)
Again the length will depend on the method you use.
You have the complete list of encryption functions supported by MySQL DBMS on this official documentation.
I am creating a unique id and would like to know what field structure I should be using. I am creating the id in php using md5 and uniqueid.
md5(uniqid($filename))
I have set the field in the database to varchar. I wanted to know if this was correct and also if correct how many chacaters should it be set to.
Many thanks
MD5 returns 128 bit values which can be represented as a sequence of 32 hexadecimal characters, which is also the type of value PHP’s md5 function returns. So CHAR(32) would fit perfectly.
You could also turn the value into binary, i. e., 8 bit per byte instead of 4 bit per byte. This can be done with PHP’s md5 function by setting the second parameter raw_output to true. Or in MySQL using the UNHEX function. In that case BINARY(16) would suffice.
For some reason MySQL is putting all passwords as the same even after md5 and using the password('$md5_password').
Let's say the password is abc123 the password stored in mysql is 11ab5e691dcc370b. But when I try to save a password of frogs the password stored is 11ab5e691dcc370b, which is the same. I have the same script on other databases and is working flawlessly.
The above would explain why no one is logging in unless I hard set the 11ab5e691dcc370b password. Then others can login.
The mysql user has full rights.
I used Google to reverse 11ab5e691dcc370b. It seems to be the hash of d41d8cd98f00b204e9800998ecf8427e, which is an MD5 of a blank string.
You might want to check the code that actually calls md5.
Assuming PHP based on the $md5_password in your question
Use double quotes or remove them completely.
md5($password);
If you use single quotes it will literally hash the string $password
md5('$password');
See this page on string literals http://www.php.net/manual/en/language.types.string.php#language.types.string.syntax.single
this is the password :
sha1$265b1$5ff32d53cf53bdef243b6f83e33e513514352406
sha1$73f58$b037706983a566e2a2b4bab7ef062c2e84f4a33e
this two string's password all are '123456',
but why they have different string ?
thanks
Until django 1.3 was for "salt" the raw password:
The password attribute of a User object is a string in this format:
hashtype$salt$hash
That's hashtype, salt and hash, separated by the dollar-sign character.
Hashtype is either sha1 (default), md5 or crypt -- the algorithm used to perform a one-way hash of the password. Salt is a random string used to salt the raw password to create the hash.
But after django 1.4 the "salt" part isn´t recorded in the database and it uses another algorithm by default.
As stated in the Docs, django uses a salt to hash the password. The salt is the few characters between the 2 $, so technically you can update 1 of those rows with the other value.
For more regarding salt-hashing see This question
that decide to your algorithm, some algorithm's results are not same
I was wondering how can i limit my password to aplhanmeric based on the generated value of alphanumeric AES_ENCRYPT() in mysql? I have a column password with a datatype of varbinary
Sample: select AES_ENCRYPT('encryption_code','password');
Result: ���"F]���\�L7z
I want to avoid the special characters.
This doesn't specifically answer the question on how to get just alphanumeric, but the 'special characters' look to be what MySQL does with utf8. You can see what they actually are in:
SELECT CONVERT(AES_ENCRYPT('encryption_code','password') USING latin1);
Now as to why you want just the alpha-numeric, may I ask why? Wouldn't that destroy the encryption when you go to AES_DECRYPT? With the above query, you can get the encryption_code back by doing:
SELECT AES_DECRYPT(CONVERT(AES_ENCRYPT('encryption_code','password') USING latin1), 'password');