I have read about using MySQL AES_ENCRYPT/AES_DECRYPT (two-way encryption) is less secure than using PHP – hash() (one-way encryption).
http://bytes.com/topic/php/answers/831748-how-use-aes_encrypt-aes_decrypt
Is it true that it is more secure that ‘Rather than send the User his password, simply send him a link that he can click on to reset his password, instead.’?
And on top of that, if I am using MySQL AES_ENCRYPT/AES_DECRYPT (which I quite keen on…), how do I define the key which can be accepted by MySQL? for instance, is the length of the key important? or can I simple use ‘123123@123123’ as my key?
thanks!
There is a fundamental difference between the two concepts, hashing and encryption:
Encryption can be reversed, hashing can’t (at least that’s the idea).
If a malicious user gains access to the passwords in a database and knows the key you used to encrypt them, they will be able to recover said passwords. If they are hashed, they won’t be able to do that.
That’s why passwords should be always be hashed (and salted), never encrypted.
AFAIK MySQL’s
AES_ENCRYPTcan take keys of arbitrary length; but obviously shorter keys will make it easier for an attacker to bruteforce it (ie: try all possible combinations)