Page 1 of 2

Simple Password Question.

Posted: Thu Jun 01, 2006 9:19 pm
by tecktalkcm0391
Would it be better to use the encrypt feature of PHP or the md5 feature for the password to logon to my site?

Posted: Thu Jun 01, 2006 9:36 pm
by hawleyjr
Neither.

Search this forum for salt, sha1 and password. BTW/ None of the above are encrypted :)

Posted: Thu Jun 01, 2006 9:46 pm
by tecktalkcm0391
is this encrypted and secure:

Code: Select all

<?php
   $key = "this is a secret key";
   $input = "Let us meet at 9 o'clock at the secret place.";

   $td = mcrypt_module_open('tripledes', '', 'ecb', '');
   $iv = mcrypt_create_iv (mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
   mcrypt_generic_init($td, $key, $iv);
   $encrypted_data = mcrypt_generic($td, $input);
   mcrypt_generic_deinit($td);
   mcrypt_module_close($td);
?>

Posted: Thu Jun 01, 2006 9:56 pm
by Ambush Commander
It is encrypted and secure, for that context: making sure a message can only be read by a recipient. That's not the kind of security you are aiming for with passwords.

Posted: Thu Jun 01, 2006 9:59 pm
by tecktalkcm0391
well what do you suggest. I was thinking about doing the same thing with the post[ed code] but wereever the password is needed it encrypts or decrypts using the same key

Posted: Thu Jun 01, 2006 10:09 pm
by tecktalkcm0391
or would this be better:

Code: Select all

<?php
$res = gnupg_init();
gnupg_addencryptkey($res,"8660281B6051D071D94B5B230549F9DC851566DC");
$enc = gnupg_encrypt($res, "just a test");
echo $enc;
?>

Posted: Thu Jun 01, 2006 10:11 pm
by hawleyjr
Ambush Commander wrote: That's not the kind of security you are aiming for with passwords.
:wink:

Posted: Thu Jun 01, 2006 10:15 pm
by tecktalkcm0391
Then what would be the right security. Can you tell me a little more indeepth like, do this one because....

Posted: Thu Jun 01, 2006 10:17 pm
by hawleyjr
hawleyjr wrote:Neither.

Search this forum for salt, sha1 and password. BTW/ None of the above are encrypted :)
Lots of repeating going on here :roll:

Posted: Thu Jun 01, 2006 11:04 pm
by tecktalkcm0391
well sorry, i searched and didn';t find anything that helped

Posted: Thu Jun 01, 2006 11:08 pm
by hawleyjr

Posted: Thu Jun 01, 2006 11:11 pm
by tecktalkcm0391
ok cool, could i use that along with something like:

Code: Select all

<?php 
$res = gnupg_init(); 
gnupg_addencryptkey($res,"8660281B6051D071D94B5B230549F9DC851566DC"); 
$enc = gnupg_encrypt($res, "just a test"); 
echo $enc; 
?>

Posted: Sat Jun 03, 2006 1:06 pm
by tecktalkcm0391
Can anyone tell me if that is good?

Posted: Sat Jun 03, 2006 1:49 pm
by bdlang
I think what everyone's trying to say, forget about 'encrypting' the password, it's unnecessary. Use a HASH instead, like suggested with sha1 (although sha1 has recently been found to be not as 'secure' as thought, it's still fine for the intended purpose) with a SALT, and store the value in the database. When logging the user back in, compare hashed password value with the SALT against the HASH stored in the database. That's it.

Posted: Sat Jun 03, 2006 9:05 pm
by tecktalkcm0391
The reason i am aiming for encryption is that I want the users to beable to retreive their password, and get it sent to them.