Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy. This forum is not for asking programming related questions.
I was wanting to encrypt / decrypt some password for my php cms. I am aware that php has its own function, but you can also get scripts which do a fine job.
I know that these ares are available as part of the php system...
CRYPT_STD_DES - Standard DES-based encryption
CRYPT_EXT_DES - Extended DES-based encryption
CRYPT_MD5 - MD5 encryption
CRYPT_BLOWFISH - Blowfish encryption
... but being part of the system makes it a bit vulnerable doesn't it?
If you take the approach of using a script with a key, all someone needs to do is grab find the key. But at the same time, I would image that trying to decrypt a password that is made with a non-system script would be a touch harder?
Can anyone shed some light on what the best method is? Im a bit of a newbe
Cheers,
Doug
Last edited by Benjamin on Mon May 18, 2009 9:43 am, edited 1 time in total.
Reason:Fixed List BB code.
You should NOT write an encryption algorithm yourself, or use some obscure library instead of the default implementations. First of all 'security through obscurity' is a bad idea. Second, you will make mistakes, most likely resulting in security holes.
There's absolutely nothing wring with using common, known, standard encryption methods. In fact, the more known and used, the better, because it means they have been thoroughly tested and proven in the field.
The strength of all major common encryption methods is that they're open, clean, simple, and known to be hard (as in, not in a lifetime) to crack.
The thing about MD5 is that it's a hashing algorithm rather than 2 way encryption.
This means what you input gets 'hashed' into a string that you can then compare the original value to. There's theoretically no way to recover this value from the string alone.
I think what you need is actual encryption and decryption.
If you are going to use md5 to store password for example, do not rely only on MD5
* Use the so called HMAC md5 instead (md5 with a key, you will find easily implementations of this, or P.M. me and I'll send you)
* Or just concatenate the md5() with some random string, that is also saved in the database, and save md5() of the resulting string
In this way you not only protect passwords from being decrypted (as md5 is one-way crypting, known as hashing), but from brute-force as well.