I am creating something that requires a username and password.
How would I go about encrypting the passwords so that they are not stored as plain text in my database?
Would I have to write some sort of scrambling engine in my php code that encrypts the password when it is created and every time someone tries to log in? Or how would I go about implementing a MD5 encryption?
Thanks
Create encrypted password hash
Moderator: General Moderators
Re: Create encrypted password hash
"I will always use Google before asking a stupid question."
http://webcheatsheet.com/php/md5_encrypt_passwords.php
http://webcheatsheet.com/php/md5_encrypt_passwords.php
Re: Create encrypted password hash
1. You don't want to encrypt the passwords in your database, because then they could -theoretically- still be decrypted. Instead, hash the password. This is an irreversible process. And when a user enters his password, hash that and compare it to the hash in your database.
Commonly used hashing functions are md5 and sha1 (I would recommend using sha1).
2. Besides the fact that the mentioned hash functions are readily available in PHP, you don't want to write this sort of encryption / security things yourself anyway. You will make first-time mistakes, as this is very critical, complex stuff. Use widely proven, thoroughly tested, and used-in-the-field code.
3. There are some additional points to take into account, most importantly salting (and preferably peppering as well). If you google or search on this forum, you'll find more about it.
To put it briefly: instead of hashing the user's $password, hash ($password."SoMeRaNdOmStR!Ng"). That 2nd part is called 'salt', which makes it impossible for hackers to use precalculated hashes (aka rainbow tables) of dictionaties and common passwords. Pepper is a user-dependent salt, which makes it impossible to compare hashes (so somebody with access to the database couldn't see if two users happen to have the same password).
Commonly used hashing functions are md5 and sha1 (I would recommend using sha1).
2. Besides the fact that the mentioned hash functions are readily available in PHP, you don't want to write this sort of encryption / security things yourself anyway. You will make first-time mistakes, as this is very critical, complex stuff. Use widely proven, thoroughly tested, and used-in-the-field code.
3. There are some additional points to take into account, most importantly salting (and preferably peppering as well). If you google or search on this forum, you'll find more about it.
To put it briefly: instead of hashing the user's $password, hash ($password."SoMeRaNdOmStR!Ng"). That 2nd part is called 'salt', which makes it impossible for hackers to use precalculated hashes (aka rainbow tables) of dictionaties and common passwords. Pepper is a user-dependent salt, which makes it impossible to compare hashes (so somebody with access to the database couldn't see if two users happen to have the same password).
Re: Create encrypted password hash
Thanks for the info.
For Salt, do you hash $password adjoined to a common string, i.e. will every $password be attatched to the same string before hashing?
For Salt, do you hash $password adjoined to a common string, i.e. will every $password be attatched to the same string before hashing?
Re: Create encrypted password hash
A very easy and secure way of hashing passwords would be doing something like this.
This creates a random salt for all passwords.
You will need to store the salt in the database along with the hashed password for when the user logs in as the salt is generated randomly, you then compare the 2 and if they are same the user entered the correct password.
-------------------
This does however add a extra step to the process because you first need to see if the user has entered a correct username, if they have you need to pull the salt so you can use it to re-hash the password and compare them.
Code: Select all
function generateSalt()
{
$salt = rand(1000, 9999);
return $salt;
}
$salt = generateSalt();
$password = 'users password';
$encrypted_password = sha1($password.$salt);
You will need to store the salt in the database along with the hashed password for when the user logs in as the salt is generated randomly, you then compare the 2 and if they are same the user entered the correct password.
-------------------
This does however add a extra step to the process because you first need to see if the user has entered a correct username, if they have you need to pull the salt so you can use it to re-hash the password and compare them.