Create encrypted password hash

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
swraman
Forum Commoner
Posts: 58
Joined: Thu Nov 06, 2008 12:33 am

Create encrypted password hash

Post by swraman »

I am creating something that requires a username and password.

How would I go about encrypting the passwords so that they are not stored as plain text in my database?

Would I have to write some sort of scrambling engine in my php code that encrypts the password when it is created and every time someone tries to log in? Or how would I go about implementing a MD5 encryption?

Thanks
swraman
Forum Commoner
Posts: 58
Joined: Thu Nov 06, 2008 12:33 am

Re: Create encrypted password hash

Post by swraman »

"I will always use Google before asking a stupid question."

http://webcheatsheet.com/php/md5_encrypt_passwords.php
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Create encrypted password hash

Post by Apollo »

1. You don't want to encrypt the passwords in your database, because then they could -theoretically- still be decrypted. Instead, hash the password. This is an irreversible process. And when a user enters his password, hash that and compare it to the hash in your database.

Commonly used hashing functions are md5 and sha1 (I would recommend using sha1).

2. Besides the fact that the mentioned hash functions are readily available in PHP, you don't want to write this sort of encryption / security things yourself anyway. You will make first-time mistakes, as this is very critical, complex stuff. Use widely proven, thoroughly tested, and used-in-the-field code.

3. There are some additional points to take into account, most importantly salting (and preferably peppering as well). If you google or search on this forum, you'll find more about it.
To put it briefly: instead of hashing the user's $password, hash ($password."SoMeRaNdOmStR!Ng"). That 2nd part is called 'salt', which makes it impossible for hackers to use precalculated hashes (aka rainbow tables) of dictionaties and common passwords. Pepper is a user-dependent salt, which makes it impossible to compare hashes (so somebody with access to the database couldn't see if two users happen to have the same password).
swraman
Forum Commoner
Posts: 58
Joined: Thu Nov 06, 2008 12:33 am

Re: Create encrypted password hash

Post by swraman »

Thanks for the info.

For Salt, do you hash $password adjoined to a common string, i.e. will every $password be attatched to the same string before hashing?
ioan1k
Forum Newbie
Posts: 8
Joined: Thu Nov 06, 2008 12:48 pm

Re: Create encrypted password hash

Post by ioan1k »

A very easy and secure way of hashing passwords would be doing something like this.

Code: Select all

 
function generateSalt()
{
    $salt = rand(1000, 9999);
    return $salt;
}
 
$salt = generateSalt();
$password = 'users password';
$encrypted_password = sha1($password.$salt);
 
This creates a random salt for all passwords.

You will need to store the salt in the database along with the hashed password for when the user logs in as the salt is generated randomly, you then compare the 2 and if they are same the user entered the correct password.

-------------------

This does however add a extra step to the process because you first need to see if the user has entered a correct username, if they have you need to pull the salt so you can use it to re-hash the password and compare them.
swraman
Forum Commoner
Posts: 58
Joined: Thu Nov 06, 2008 12:33 am

Re: Create encrypted password hash

Post by swraman »

Thanks 8)
Post Reply