Menu
I asked a question yesterday about password safety...
I am new at security...
I am using a mysql db, and need to store users passwords there. I have been told in answers that hashing and THEN saving the HASHED value of the password is the correct way of doing this.
So basically I want to verify with you guys this is correct now.
It is a classifieds website, and for each classified the user puts, he has to enter a password so that he/she can remove the classified using that password later on (when product is sold for example).
In a file called "put_ad.php" I use the $_POST method to fetch the pass from a form.
Then I hash it and put it into a mysql table.
Then whenever the users wants to delete the ad, I check the entered password by hashing it and comparing the hashed value of the entered passw against the hashed value in the mysql db, right?
BUT, what if I as an admin want to delete a classified, is there a method to "Unhash" the password easily?
sha1 is used currently btw.
some code is very much appreciated.
Thanks
If you are an admin and have written the code you don't need to know the original users password. As an admin you code in the right for you to do this.
This is the difference between user authentication and user authorisation
175
What you are doing is right, but no, SHA, MD5 and others are one way hashes only so you can't unhash them (well theoretically you could by e.g. brute force). Letting you as an admin delete things, too, should be part of your authorization management.
29
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
