I've been looking into storing user passwords in mysql and the ubiquitous reply is to store it using an encryption algorithm like MD5 or SHA1. But what if user x forgets her password and wants it to be sent to her? What then? I can't send her the md5 hash! How is this issue dealt with in the real world. Are there two databases? One to compare hashes and another for forgotten passwords? But what's the difference, both would be read-only by the sql user connecting to it at that time. So how do you do it? Thanks!!
The password hash stored by MySQL Server is generated by hashing the plain-text password twice using SHA1. When the client transmits the password to the server, it uses three pieces of information: The SHA1 hash of the plain text password. The SHA1 hash of the the SHA1 hash of the plain text password.
The password hashes are stored in the user table of the mysql database. The table files themselves are typically stored in a tree structure under /var/lib/mysql , but that location can be modified by build options or run-time configuration.
MySQL stores credentials in the user table in the mysql system database. Operations that assign or modify passwords are permitted only to users with the CREATE USER privilege, or, alternatively, privileges for the mysql database ( INSERT privilege to create new accounts, UPDATE privilege to modify existing accounts).
Hashing allows passwords to be stored in a format that can't be reversed at any reasonable amount of time or cost for a hacker. Hashing algorithms turn the plaintext password into an output of characters of a fixed length.
It's pretty standard security practice to never send users their password. Instead, you offer a password reset utility that is tied to their ability to access their e-mail account, and/or ability to answer question about their profile (like a security question or what postal code they live in).
Functionality Outline:
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With