Page 1 of 2
Simple Password Question.
Posted: Thu Jun 01, 2006 9:19 pm
by tecktalkcm0391
Would it be better to use the encrypt feature of PHP or the md5 feature for the password to logon to my site?
Posted: Thu Jun 01, 2006 9:36 pm
by hawleyjr
Neither.
Search this forum for salt, sha1 and password. BTW/ None of the above are encrypted

Posted: Thu Jun 01, 2006 9:46 pm
by tecktalkcm0391
is this encrypted and secure:
Code: Select all
<?php
$key = "this is a secret key";
$input = "Let us meet at 9 o'clock at the secret place.";
$td = mcrypt_module_open('tripledes', '', 'ecb', '');
$iv = mcrypt_create_iv (mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
mcrypt_generic_init($td, $key, $iv);
$encrypted_data = mcrypt_generic($td, $input);
mcrypt_generic_deinit($td);
mcrypt_module_close($td);
?>
Posted: Thu Jun 01, 2006 9:56 pm
by Ambush Commander
It is encrypted and secure, for that context: making sure a message can only be read by a recipient. That's not the kind of security you are aiming for with passwords.
Posted: Thu Jun 01, 2006 9:59 pm
by tecktalkcm0391
well what do you suggest. I was thinking about doing the same thing with the post[ed code] but wereever the password is needed it encrypts or decrypts using the same key
Posted: Thu Jun 01, 2006 10:09 pm
by tecktalkcm0391
or would this be better:
Code: Select all
<?php
$res = gnupg_init();
gnupg_addencryptkey($res,"8660281B6051D071D94B5B230549F9DC851566DC");
$enc = gnupg_encrypt($res, "just a test");
echo $enc;
?>
Posted: Thu Jun 01, 2006 10:11 pm
by hawleyjr
Ambush Commander wrote: That's not the kind of security you are aiming for with passwords.

Posted: Thu Jun 01, 2006 10:15 pm
by tecktalkcm0391
Then what would be the right security. Can you tell me a little more indeepth like, do this one because....
Posted: Thu Jun 01, 2006 10:17 pm
by hawleyjr
hawleyjr wrote:Neither.
Search this forum for salt, sha1 and password. BTW/ None of the above are encrypted

Lots of repeating going on here

Posted: Thu Jun 01, 2006 11:04 pm
by tecktalkcm0391
well sorry, i searched and didn';t find anything that helped
Posted: Thu Jun 01, 2006 11:08 pm
by hawleyjr
Posted: Thu Jun 01, 2006 11:11 pm
by tecktalkcm0391
ok cool, could i use that along with something like:
Code: Select all
<?php
$res = gnupg_init();
gnupg_addencryptkey($res,"8660281B6051D071D94B5B230549F9DC851566DC");
$enc = gnupg_encrypt($res, "just a test");
echo $enc;
?>
Posted: Sat Jun 03, 2006 1:06 pm
by tecktalkcm0391
Can anyone tell me if that is good?
Posted: Sat Jun 03, 2006 1:49 pm
by bdlang
I think what everyone's trying to say, forget about 'encrypting' the password, it's unnecessary. Use a HASH instead, like suggested with sha1 (although sha1 has recently been found to be not as 'secure' as thought, it's still fine for the intended purpose) with a SALT, and store the value in the database. When logging the user back in, compare hashed password value with the SALT against the HASH stored in the database. That's it.
Posted: Sat Jun 03, 2006 9:05 pm
by tecktalkcm0391
The reason i am aiming for encryption is that I want the users to beable to retreive their password, and get it sent to them.