On Fri, May 6, 2011 at 8:50 AM, Jeff Pang wrote:
No. there is no such thing called decryption if you want to protect
your passwords strictly. Agreed.
Generally we crypt the user's password with md5 or similar and
store them to a database. When user input their username and
password from the web from to login, we re-encrypt the
password and compare it to the database.
Basically, yes. You use some kind of one-way hashing function
(i.e., something that can't practically be reversed) and store
the result of that. Later when the user enters their password you
hash what they entered and compare it to the stored hash. Often
you also generate a user-specific "salt", which you combine with
the password in some standard way prior to hashing so that the
same passwords will appear different in the database for
different users (for a slight bit of extra security).
The encryption function could be md5:
AFAIK, MD5 is no longer considered secure so you should probably
use something better for optimal results. I'm not sure what you
should use, but I'm sure if you ask the Web you will find plenty
US-CERT of the U. S. Department of Homeland Security said MD5
"should be considered cryptographically broken and unsuitable
for further use," and most U.S. government applications now
require the SHA-2 family of hash functions.