Encryption of a string

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

User avatar
Takuma
Forum Regular
Posts: 931
Joined: Sun Aug 04, 2002 10:24 am
Location: UK
Contact:

Encryption of a string

Post by Takuma »

How can I really securely encrypt a password. I know there are thing called salting but I don't know how to use it or why I should use it, I'm only using MD5 at the moment but I don't think it's secure enough... Help!
dusty
Forum Contributor
Posts: 122
Joined: Sun Apr 28, 2002 9:52 pm
Location: Portsmouth, VA

Post by dusty »

a quick fix for salting is to make the password a combination of the username and password encrypted.
User avatar
Takuma
Forum Regular
Posts: 931
Joined: Sun Aug 04, 2002 10:24 am
Location: UK
Contact:

Post by Takuma »

OK...
But I need to know what is salting and which encryption I should use...
User avatar
phice
Moderator
Posts: 1416
Joined: Sat Apr 20, 2002 3:14 pm
Location: Dallas, TX
Contact:

Post by phice »

It's weird.. PHP had crypt(), yet they dont have decrypt(). :evil:
Image Image
User avatar
Takuma
Forum Regular
Posts: 931
Joined: Sun Aug 04, 2002 10:24 am
Location: UK
Contact:

Post by Takuma »

Anybody know the address of a tutorial about serialisation?
JPlush76
Forum Regular
Posts: 819
Joined: Thu Aug 01, 2002 5:42 pm
Location: Los Angeles, CA
Contact:

Post by JPlush76 »

I think it depends on what kind of data you're going to be storing

If your keeping people's credit cart information in your database you should use high end security, but if you have an online forum or some small application like that MD5 seems fine.

p.s. I remember the good old days of takuma defending md5 to the death, hehe :)
User avatar
hob_goblin
Forum Regular
Posts: 978
Joined: Sun Apr 28, 2002 9:53 pm
Contact:

Post by hob_goblin »

All I can say is:

RTFM
dusty
Forum Contributor
Posts: 122
Joined: Sun Apr 28, 2002 9:52 pm
Location: Portsmouth, VA

Post by dusty »

if someone enters a password and has access to your database and sees someone with the same encryption string they know what the password is. so if you salt the password and then encrypt it will be a different string with the same password.

ie:

i was saying to just use your username and password.

$username = "dusty";
$password = "pass";
$password = $username . $password;

if you do md5($password) you come up with:
2a6d00fb64466476f4696aefa59f40d8

where if you md5 the unsalted password you'd get:
1a1dc91c907325c69271ddf0c944bc72

providing your own salt might even be a better idea that way no one can go through md5($user_pass_combo) until they find a match.

there is no 100% secure encryption method. md5 alone is probably enough but adding salt wouldn't hurt.
User avatar
Takuma
Forum Regular
Posts: 931
Joined: Sun Aug 04, 2002 10:24 am
Location: UK
Contact:

Post by Takuma »

Thanks.. :D
And hot_goblin is "RTFM" a type of encryption?

P.S. JPlush76 -> :lol:
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Post by twigletmac »

RTFM is hobgoblins way of telling you to go read the manual. Basically do some homework before you ask the question like searching the forum or doing searches in the manual and generally on the web.

Mac
User avatar
Takuma
Forum Regular
Posts: 931
Joined: Sun Aug 04, 2002 10:24 am
Location: UK
Contact:

Post by Takuma »

OK, thanks I did a bit though... :oops: Looks like 2 hours of searching wasn't good enough :cry:
JPlush76
Forum Regular
Posts: 819
Joined: Thu Aug 01, 2002 5:42 pm
Location: Los Angeles, CA
Contact:

Post by JPlush76 »

what would make a good salt if I use the email address as their username?

I wouldn't want to use the email address to salt with because they can always change their email address, and then their password wouldn't match up.

Any thoughts?
dusty
Forum Contributor
Posts: 122
Joined: Sun Apr 28, 2002 9:52 pm
Location: Portsmouth, VA

Post by dusty »

in that case just use your own salt.

$salt = "9sdf8a72";
$password = $password . $salt;
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

A good salt should not be predictable. If you use either username or email the salt for a given user is predictable, this allows the attack to begin prior to compromising any accounts.

See http://www.devnetwork.net/forums/viewto ... c&start=15 for an earlier post of mine about this. (Actually page one of the thread is good too.) Also see http://www.devnetwork.net/forums/viewto ... 6&start=15 for examples of how these different tools fit together. (My second post on that page)
User avatar
hob_goblin
Forum Regular
Posts: 978
Joined: Sun Apr 28, 2002 9:53 pm
Contact:

Post by hob_goblin »

I had an idea:

Have two tables, one for the user info, and one for salts.

Upon registration, generate a random salt into a variable.
Use that salt to encrypt the password, Take the encryption, and use it as the identifier to pull out the random salt from the second table, and then run that salt against the inputted password to see if it equals the value in the first

Make sense? :P
Post Reply