Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Storing passwords in mysql... use a hash right? but how do you send the user a forgotten password?

Tags:

security

sql

passwords

mysql

I've been looking into storing user passwords in mysql and the ubiquitous reply is to store it using an encryption algorithm like MD5 or SHA1. But what if user x forgets her password and wants it to be sent to her? What then? I can't send her the md5 hash! How is this issue dealt with in the real world. Are there two databases? One to compare hashes and another for forgotten passwords? But what's the difference, both would be read-only by the sql user connecting to it at that time. So how do you do it? Thanks!!

like image 544
eatonphil Avatar asked Nov 09 '12 14:11

eatonphil

People also ask

How does MySQL hash passwords?

The password hash stored by MySQL Server is generated by hashing the plain-text password twice using SHA1. When the client transmits the password to the server, it uses three pieces of information: The SHA1 hash of the plain text password. The SHA1 hash of the the SHA1 hash of the plain text password.

Where are password hashes stored in MySQL?

The password hashes are stored in the user table of the mysql database. The table files themselves are typically stored in a tree structure under /var/lib/mysql , but that location can be modified by build options or run-time configuration.

How does MySQL store passwords?

MySQL stores credentials in the user table in the mysql system database. Operations that assign or modify passwords are permitted only to users with the CREATE USER privilege, or, alternatively, privileges for the mysql database ( INSERT privilege to create new accounts, UPDATE privilege to modify existing accounts).

How are hashed passwords stored?

Hashing allows passwords to be stored in a format that can't be reversed at any reasonable amount of time or cost for a hacker. Hashing algorithms turn the plaintext password into an output of characters of a fixed length.

1 Answers

It's pretty standard security practice to never send users their password. Instead, you offer a password reset utility that is tied to their ability to access their e-mail account, and/or ability to answer question about their profile (like a security question or what postal code they live in).

Functionality Outline:

  1. User clicks "forgot password link"
  2. User enters security challenge information (e-mail address, security question if desired)
  3. System sends password reset e-mail with auto-generated link (with generated GUID in a querystring for instance)
  4. System creates a password reset record containing the reset GUID, what user it is for, and when the key will time out.
  5. User retrieves e-mail, clicks on link.
  6. System matches GUID, deletes password reset record, sends user to password reset page.
like image 78
pseudocoder Avatar answered Nov 11 '22 03:11

pseudocoder
Sign in to Comment

Related questions

Are single mysql statements atomic in MyISAM and InnoDB?
SQL : select distinct of one column while ignoring other columns
Store image files or URLs in MySQL database? Which is better? [duplicate]
MySQL CASE statements using dates
Apply mysql query to each table in a database
Correct way to use INNER JOIN statement using a bridge table
MySQL not starting, InnoDB not available
Cassandra is much slower than Mysql for simple operations?
Should I be using mySQL or MongoDB [closed]
What's the most compact way to store diffs in a database?
How do I resolve a mysql Thread Stack Overrun?
What is the return type of SUM() in mysql?
Loading fixed-width, space delimited .txt file into mySQL
Using meteor.js with php server side
The faster method to move redis data to MySQL
Selecting distinct pairs in MySQL
Mysql query to find sum of fields with same column value
Python, convert 4-byte char to avoid MySQL error "Incorrect string value:"
How to prevent race condition in online hotel booking
"Key column doesn't exist in table" when trying to define FOREIGN KEY

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!