Why base64?

[Calamitie]

Hi,

I am making a new website which will highly depend on secure database entries, and somebody suggested to use base64 (base64_encode/decode) in PHP and it works great and I thought it was secure.

After thinking about it, I couldn't understand the point of base64 at all - if somebody got into the database, even though selecting the tables would just send 'gibberish' base64, they could easily decode the base64 either with their own script or a simple Google search!

So that lead me to ask what is the point of base64 when it can be decoded just as easily as it was encoded?

No doubt a really simple answer will come out of my question, but I thought i'd ask anyway considering I couldn't find any info. on Google (!).

Thanks in advance,

Michael McNeela (Calamitie)

[f1do]

What you are probably looking for is hashing not encoding/decoding. When you hash a string it makes it imposible to turn it back to the original. But when you encode the same string two different times it returns the same string. The most used PHP hashing function is probably md5(), theres also sha1() and I cant remember any others.

[Calamitie]

Thanks for your reply.

I was thinking about using MD5 for the database aspects, but I still wonder what would be the uses of base64 encoding, as I have seen it used alot; but like I said, I can't see how it could add security!

[eddmun]

Base64 is used a lot for encoding files into something that can be stored in a database field. For example, you could take an image which has been uploaded to the server Base64-encode it and store it in a database.

Later on you could write a script that you Base64-decode that database entry and display it to the user as an image again. If you tr and put the normal contents of an image file in a query it won't work easily.

I don't think there are any security applications for it, unless you can apply a salt to it?

[unclekyky]

All base64 does is turn the data into some printable ASCII. It should almost never be used in security.

[Calamitie]

Oh ok, that clears up alot of questions I had...

Basically, I am making a website which will work like 'Piczo' (but better) and I just want to make sure that people's hard work and effort doesn't get lost for the sake of me not protecting the database and generally the entire website.

I think I will use MD5 for passwords, but then that means that I can't recover people's passwords (just generate a new, random one).

If anyone might be able to help i'd be very greatful.

Thanks in advance,

Michael McNeela (Calamitie)

[Mau]

If you hash passwords, there is no realistic way to recover them, however it still remains the best solution. To recover a password, you would want to generate a new random one.

[Nick Presta]

Yes, to "recover" a password, you would create a new one and send the email to the user. Another way would be to create a temporary secure string/etc and email it to the user. Then, using that string in the query string, if it matches the field in the database for the username, let the user create a new password themselves and update the password field.

I would suggest using SHA1 over MD5 but it's totally up to you and it won't make a huge difference either.

[Orry Verducci]

It is generally recommended that passwords be hashed, and random ones generated when forgot (which a lot a sites do probably because they are hashed). In reality if someone were to hack the database and get the hashes, they could use MD5 dictionary sites which basically gather a list of what MD5's match what words, but that is where users are recommended to use numbers, different cases or in many cases, a password that isn't even a real word.

[eddmun]

SHA1 has been broken I think, so use MD5.