Page 1 of 1

encrypt password help!

Posted: Tue Aug 06, 2002 10:45 am
by kaily
Can anyone tell me which function should I use to encrypt passwords?!
MD5 function or CRYPT function?!
It's said that the md5 function isn't used for encrypting password!?
See this http://www.zend.com/phorum//read.php?nu ... read=19743
The crypt function seem that can't encrypt a password if more than 8 chr.(if more 8 chr. the encrypted string will the same as the 8 chr encrypted string. for example:
crypt("asdfasdf",CRYPT_STD_DES);
and
crypt("asdfasdf",CRYPT_STD_DES);
will both get the same result - "1$h8Gevj7GPBs")

Any idea?

Sorry for my english! :oops:

Posted: Tue Aug 06, 2002 12:48 pm
by dazer
Hi.

I don't know it exactly, but I think the crypt funktion only looks at the first 8 chars in your string, like passwords on *nix machines (is that still the fact?).

Personally, I would use the MD5-algorithm, it uses more (all?) chars and is IMHO used more than crypt and is safer.

Posted: Tue Aug 06, 2002 3:01 pm
by Mahmoud
hmm .. almost all php scripts (free and commerical) which encrypt passwords uses the md5 ..

Posted: Wed Aug 07, 2002 1:38 am
by daemorhedron
md5() is often used, but keep in mind that it is one way, and it's really a checksum. It will overcome the problem you are currently facing though. If you are looking for proper encryption, or are looking to encrypt and decrypt, look into the mcrypt or openssl libs for php, or shell out to pgp.

HTH

Posted: Wed Aug 07, 2002 1:47 am
by DesignerSMS
OK, encrypting passwords.

For security's sake, it is best to put a password through some sort of hashing function (which is exactly what the MD5 and crypt functions are).

What this means that some mathematical formula is run over the password and a simplified number that relates to the original password string is created. Note, with hashing functions it is impossible to retrieve the original password from the hashed version.

So, if this password is only one-way, how can we verify it with the password entered by the user trying to get into our site? Easy! All we have to do is compare the MD5 hash of the entered in password with that of the original password stored in our database like so:

Code: Select all

if (md5ї$_POSTї'password']) == $databaseMD5Password) {
  // The passwords match
}
else {
  // Oops, the user has entered the wrong password
}
The only way to crack this type of password is through brute force which means trying every possible password's MD5 hash with the one in the database.

However, be warned! Most sites will send the user password from the client (browser) to the server in clear text. The only real way to secure this data is via SSL otherwise, all a hacker has to do is sniff the packets coming into your server for all the plain text passwords being sent for authentication.

Hope this helps.

:: Kondro ::

Posted: Wed Aug 07, 2002 2:38 am
by kaily
Thanks, all!
but why
crypt("asdfasdf",CRYPT_STD_DES);
and
crypt("asdfasdfas",CRYTP_STD_DES);
will both get the same string "1$h8Gevj7GPBs"?

Posted: Wed Aug 07, 2002 3:04 am
by DesignerSMS
Crypt will only look at the first 8 characters of the string.

I would suggest using MD5 - it is ultra efficient and has no maximum length for the seed value (you can use md5_file(filename) to generate a checksum for an entire file).

Also, it is statistically impossible for any 2 MD5 checksums to be alike (there is over a 1 in 340,000,000,000,000,000,000,000,000,000,000,000,000 chance that 2 values will be the same) and even a small change in the source value will have a huge effect on the checksum.

By the way, crypt is 15 orders below (10 to the 15th power) this probability and only looks at the first 8 characters for efficiency.

The result of an MD5 hash is also a safe string because it only contains the values 0-9 and a-f (hex values) whereas crypt() returns basically any ASCII characters in its result.


Hope this helps.

:: Kondro ::

MD5 & CRYPT

Posted: Wed Aug 07, 2002 3:07 am
by Takuma
I use MD5 to encrypt my visitors password. I think MD5 is better than CRYPT function.... Well that's what I think anyway :lol: