crypt()?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
virgil
Forum Commoner
Posts: 59
Joined: Thu Jun 13, 2002 11:43 pm
Location: New York, U.S.

crypt()?

Post by virgil »

Hey PhP's

Can anyone elaborate on the crypt() funtion, the manual is kind of vauge. I just want to hide the users passwords in the DB for now.

I send this to the database from a (submition form)

Code: Select all

if ($password = $confirm_password){
        $password = crypt($password);
	}

Code: Select all

INSERT   INTO.... (password)  Values ('$password') bla..bla..
the password is stored encrypted. Fine.

Now on the update login form
I have always used

Code: Select all

UPDATE.....WHERE password = $password
I tried change the users login password (used to compare to the one in the database) with
$password = crypt($password); before UPDATE.....WHERE password = $password but the encryption changed (no match, I should have seen that coming). How exactly can I use crypt() to compare the passwords?

And what the Hell is salt? I know I can read a book on encryption, but PhP has already taken over my life! There's no room left right now! I'll get to encryption later. I have to keep on movin, or I never finish this. You know, I wish there was a way to get paid for doin this. You have to love the insanity. It's like a drug, only more addicting.....
Thanks for the help. :) Virgil
User avatar
hob_goblin
Forum Regular
Posts: 978
Joined: Sun Apr 28, 2002 9:53 pm
Contact:

Post by hob_goblin »

i dont exactly get what your asking..

ok now that you put it in encrypted..
just try

Code: Select all

$password = crypt($user_inputted_pass);

$qry = mysql_query("SELECT * FROM table WHERE username = '$user_inputted_name' && password = '$password'");

if(mysql_num_rows == "0"){
echo "wrong password/username";
} else {
//log in
}
is that what you wanted to know?
virgil
Forum Commoner
Posts: 59
Joined: Thu Jun 13, 2002 11:43 pm
Location: New York, U.S.

Post by virgil »

Hey Hob

Sorry for not being clearer.
Your right. Your code was exactly what I tried to describe and tried to do. But it wouldnt work because "$password = crypt($user_inputted_pass);" changes the encryption of the password the second time around so that it dosent match.

The first time(sent to database to "register") "dog" = H4js#KD

Code: Select all

dog = $user_inputted_pass;
$password = crypt($user_inputted_pass); 
//"dog" = H4js#KD

The second time(tring to compare to whats in the DB) "dog" = %jdsKWX

Code: Select all

dog = $user_inputted_pass;
$password = crypt($user_inputted_pass); 
//"dog" = %jdsKWX
The same exact word put through $password = crypt($user_inputted_pass); again, is encrypted diffrently. How do you get them to equal for a comparison?

The manuel had something about a second aurgment for crypt()

Code: Select all

if (crypt($user_input,$password) == $password) {
   echo "Password verified!";
}
But I don't really get it. Which is which? and can it be used in a WHERE clause?


Any help would be most appreciated
Thanks again .........Virgil
rd64pro
Forum Newbie
Posts: 7
Joined: Tue Jun 18, 2002 6:10 pm
Location: Sacramento, CA

crypt()

Post by rd64pro »

Virgil,

The "salt" value is what the encryption method is based on - it's just two characters in length. The encryption salt value is a similar approach to the "seed" value of a random number generator, so think of it that way. If you do not supply a salt value to use, a random will be used instead. That means that if, later on, you try comparing two encrypted passwords using a random salt, you won't get a match.

After the password has been encrypted using crypt(), the first two characters of the encrypted password will be the salt value. So, if you didn't supply a salt when initially storing the password, you can do this to accurately compare encrypted passwords:

// grab the salt value that was used to initially encrypt the password
$salt = substr($stored_password, 0, 2);

// include that same value as an argument when encrypting the
// user-supplied password
if ($stored_password == crypt($supplied_password, $salt)) {
echo 'password validated!';
}

I hope this helps!

-Ryan
virgil
Forum Commoner
Posts: 59
Joined: Thu Jun 13, 2002 11:43 pm
Location: New York, U.S.

Post by virgil »

That was it!

Code: Select all

$salt = "ab";
$Password = crypt($password, $salt);


UPDATE ....WHERE password='$password
It's a match! :D :D :D


Thanks once again!


Virgil
User avatar
llimllib
Moderator
Posts: 466
Joined: Mon Jul 01, 2002 2:19 pm
Location: Baltimore, MD

Post by llimllib »

just a note: for passwords, it's better to use md5() than crypt(), not to mention a whole lot easier. just do

Code: Select all

$password = md5($password);
Martin L
Forum Newbie
Posts: 2
Joined: Wed Jul 10, 2002 3:49 pm

Post by Martin L »

Just another note:
Using the md5 algorithm (or crypt() with a fixed salt for that matter) will always return the same hash for the same password.

The point in using a salt is that the crypt() function returns a diffrent hash depending on which salt is used. This means that 2 users can have the same password but still have diffrent hashes stored in e.g. a database. If this was not the case a cracker could identify users using the same password just by looking at the hashed passwords. (which is bad because she could gain access to two user accounts by cracking just one password).

That is why it is better to use the crypt() function like this:

Code: Select all

$hashed_psw = crypt($entered_psw);
and for verifying the psw later on:

Code: Select all

if($hashed_psw == crypt($entered_psw, $hashed_psw)){
//valid login
} else {
//invalid login
}
This method also has the benefit of letting crypt() use the best available hasing e.g. salted md5 or blowfish. Forcing crypt to use a 2 letter salt means that it will use standard DES which is weaker.

=Martin L
User avatar
llimllib
Moderator
Posts: 466
Joined: Mon Jul 01, 2002 2:19 pm
Location: Baltimore, MD

Post by llimllib »

yeah, salted md5 is better, but some systems don't support it (mine)
EricS
Forum Contributor
Posts: 183
Joined: Thu Jul 11, 2002 12:02 am
Location: Atlanta, Ga

Question about storing passwords with crypt() for mod5()

Post by EricS »

I can understand the reasons for storing passwords encrypted into a database. But what if the user forgets the password and needs it say emailed to them, like so many sites do. How do you unencrypt the passwords to send back? I thought crypt used a one way algorithm that couldn't be reversed?


Just a thought!
User avatar
llimllib
Moderator
Posts: 466
Joined: Mon Jul 01, 2002 2:19 pm
Location: Baltimore, MD

Post by llimllib »

generally, the better way to handle that is to generate a new random password, set that as their password and let them change it to what they want.
You are correct though, these functions are one way.
Post Reply