2

I am going through this tutorial and I am using the ENCRYPT MySQL function.

http://www.pixelinx.com/2010/10/creating-a-mail-server-on-ubuntu-using-postfix-courier-ssltls-spamassassin-clamav-and-amavis/

But now I have the problem of how to decrypt the encrypted password in MySQL or in php? I want to compare if the password entered is the same as the encrypted one.

How can I compare it? MySQL must be encrypted with the ENCRYPT function!

I am searching but I can not find anything how to decrypt the ENCRYPT MySQL function...

Improve this question
5
  • 6
    If you're trying to decrypt a password, you're doing it wrong. Commented May 10, 2013 at 15:42
  • 1
    you compare the encrypt()ed hashes select ... where savedhash=encrypt('newpassword'). Commented May 10, 2013 at 15:42
  • Strange for the tutorial to tell you how to encrypt it but not what to do with it once it's encrypted. Commented May 10, 2013 at 15:45
  • Marc it is never the same, I already try, probably because of SALT Commented May 10, 2013 at 15:45
  • 3
    The term "encrypt" is wrong. The passwords are not encrypted but hashed. Commented Feb 2, 2016 at 7:13

3 Answers 3

Reset to default
15

ENCRYPT is using a one way hash algorithm there is no DECRYPT.. That's the sense of enrypting passwords: a hacker should have no option to see the clear text passwords.

When you need to compare a password in db with one a user has entered, use a query like this (using prepared queries)

SELECT * FROM `user`
WHERE `name` = 'hek2mgl` 
  AND `password` = ENCRYPT('user_input', `password`)

The ENCRYPT function will output a "salted" string prefixed with the salt itself, so feeding it back the encrypted password will re-supply the original salt.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

encrypt function always returns different values, so cannot be used in query, instead use password function
Yeah, you are right, when called without a salt argument it uses a random salt. I wasn't aware of this when writing the answer. Your comment is much appreciated. After reading the manual, I still think that it can be used for password encryption tasks, but it is necessary to handle the salt properly. I'll edit the answer soon.
see: man crypt - default "random" salt value is a first two char of encrypted phrase
4

You can't decrypt the password - it is encrypted with one-way encryption.

What you need to do is encrypt the entered password and compare the result with the stored encrypted password.

Improve this answer

Comments

0

you don't need to DECRYPT the password. In order to check if a user submitted the correct password, just RE-ENCRYPT the password given by the user and check if it matches the one stored in your database.

Moreoever, a simple hash function will suffice (avoid MD5 and make use of salt to prevent dictionary or rainbow-tables attacks!)

Improve this answer

2 Comments

so you suggest ENCRYPT('passwor', 'dsljfljfsdljfljsdf')
I'd suggest $hashed_pass = sha1("password+salt");. Salt should be used every time you hash your password, you can generate the salt from user data, keep secret the salt-generation process, store it in the db, and assure it's unique for every user.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.