Mysql , postgres and passwords

2004 July 31 at 00:33 » Tagged as :mysql, php, password,

Many developers particularly those who work in a LAMP environment use the password() function of mysql to encode the passwords that they store in their database. I am not talking even about mysql account password, but passwords as saved by authentication app. The password function is not supposed to be very secure but people use it anyway - in fact I have also been guilty of this crime at times.

On the other hand I have seen $1000 applications that store the password in clear text. These poor losers argue that if someone gains unauthorized access to your database you are in big trouble anyway. That is not the point. Passwords should be one way hashed to protect them from friendly eyes as well as those of the intruders. You hear about passwords belonging to thousands of users being released on underground websites all the time. Most people use the same password on multiple sites if compromised once means compromised everywhere.

No self respecting system administrator or DBA will want to take a peek at your password on purpose but sometimes when doing routine administration it's simply impossible not to see the contents of the password field if it's not encrypted - as they say lead us not into temptation.

In any event postgres does not have the same password() function that you find in mysql so you have to encode the password yourself. Now if we had all done things right the first time our PHP code would do the encryption for us instead of relying on the mysql function. Since programmers are lazy by nature it's not done that way.

Changing your PHP script not to use the password function is is a simple task. You only need one line of code to create an MD5 hash in php - not so with java. Though it is said that you can program with java with little knowledge of what lies under the hood - cryptography is one exception. In this case it is PHP that hides all the gory details while java assumes that you would know how the internal combustion engine worked.

March 23, 2023 update: MD5 has been considered insecure for a long time (I just didn't get around to updating this blog for many years)