Re: PHP, Md5, and password retreival forms..

From: "shimmyshack" <matt.farey@xxxxxxxxx>
Date: 29 Mar 2007 09:06:34 -0700

On 29 Mar, 15:56, custom...@xxxxxxxxx wrote:

I have designed a site that requires users to login. Me being new to
php, I hired a guy to help me setup the database. He set it up and it
works flawlessly. Well.. instead of helping me finish the project, he
has pretty much dissapeared.

Looking at the code, the passwords are stored using Md5 encryption in
the database. I was able to get a password retrieval form working,
but its sending the passwords encrypted.

Can they be retrieved unencrypted via form?

if you mean, can you get the users to post their passwords from the
form so that you can see them, and still authenticate them, the answer
is yes (if you fiddle with the form) but you should leave it just as
it is!
The last reply (Arjen) was spot on, you shouldnt have to know what
your users passwords are, just reset them, that's all they need. The
way the form is set up _probably_ (we can't really tell cos you didn't
provide a URL) means that it is logging them in securely without SSL,
if you fiddle with this, you will be increasing the surface area of
attack for your site.

If you meant anything else, the answer is _probably_ no.

.

References:
- PHP, Md5, and password retreival forms..
  - From: custommx3

Prev by Date: Re: Updating the SQL key value
Next by Date: Re: PHP, Md5, and password retreival forms..
Previous by thread: Re: PHP, Md5, and password retreival forms..
Next by thread: Reboot Linux Service with PHP
Index(es):
- Date
- Thread

Relevant Pages

Re: Pathname to access and usernames in shortcut
... >> network drive (for maintenance reasons initially, ... >> using usernames but no passwords. ... change their passwords within the access database (they won't know how ... >> gets the current username from the system and then calls access (via the ...
(microsoft.public.access.security)
Re: security issues
... It was obviously never meant to be; multiple defences against it being ... The Ubuntu installer uses a framework called debconf to do ... when you're asking for passwords ... you take a lot of care to clean them out of the database ...
(Ubuntu)
Re: Basic security questions
... > question be able to open the database in the appropriate view. ... > Isn't there any way to just set up users with passwords that are saved ... How would I specify a relative path for the ... The path to the workgroup file is defined in a shortcut in the format: ...
(microsoft.public.access.security)
Re: Windows service
... if you know all of this why you recommend to Rotsey not to use Domain Security? ... It's easily cracked, doesn't have any metering on it to prevent brute force attacks, transmits the credentials to the database in plain-text, and doesn't integrate at all into the standard security infrastructure already being used by the organization. ... There's no default monitoring of the invalid password attempts, no automatic account lock-out, etc. There's a ton of documentation on this found on the web. ... It's one less set of passwords to remember, less configuration in the long run, fewer plain-text passwords floating around in email & config files. ...
(microsoft.public.dotnet.languages.csharp)
Re: Security Problem with Access 2000
... has the user names, personal ID's, and passwords. ... I backed up the database on a CD. ... If you have the report with the user information, then you should be able to open the database with that information. ... Make sure that you're using the correct workgroup file (the wizard normally creates a desktop shortcut; ...
(microsoft.public.access.security)