Encrypting passwords with mySQL/PHP

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
kkonline
Forum Contributor
Posts: 251
Joined: Thu Aug 16, 2007 12:54 am

Encrypting passwords with mySQL/PHP

Post by kkonline »

Can we please discuss some methods to encrypt password before storing it to database.

For example sha1, md5 and more ways... and if they are one way encryptable or they can be decrypted too?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Hashing is one-way only. That's exactly what you want. We've discussed it many times before. Have you read previous threads on hashing and md5/sha1/sha256/etc...?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

baileylo
Forum Newbie
Posts: 13
Joined: Sun Sep 30, 2007 12:48 am

Post by baileylo »

feyd wrote:Hashing is one-way only. That's exactly what you want. We've discussed it many times before. Have you read previous threads on hashing and md5/sha1/sha256/etc...?
May be one way, but still
sha1: http://www.schneier.com/blog/archives/2 ... roken.html
md5: http://www.schneier.com/blog/archives/2 ... ollis.html

But chances are the fact that there are these errors you'll be fine also try this

Code: Select all

base64_encode(sha1($thepassword))
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

The breaking of sha1 and md5 were discussed in the previous threads, if one read them.

As for base64_encode() of a hash... what's the point? Especially of a hex string.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

@baileylo: Nothing is perfect, but even MD5 can be strong if you salt / pepper correctly, as rainbow tables wouldn't work as well. Of course, we have better hashing algorithms, so there's no need to bother with older ones.
Post Reply