best way to crypt a password

[Lone_Ranger]

session_start();
ob_start();

*host detail stuff here*

mysql_connect("$host", "$dbusername", "$password") or die ("cannot connect");
mysql_select_db("$db_name") or die ("cannot select DB");

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$username = stripslashes($username);
$password = stripslashes($password);
$sql = "SELECT * FROM $tbl_name WHERE username = '$username' and password='$password'";
$result = mysql_query($sql);

$count = mysql_num_rows($result);

if($count == 1) {
    $_SESSION['username'] = $username;
    $_SESSION['password'] = $password;
    header('location:login_success.php');
}

if($count == 1) {
    session_register('username');
    session_register('password');
    header('location:login_success.php');
}

else {
include("top.php");
include("style.css");
        echo "<p align=center><font size=2>Login Failed. <a href=http://www.sentuamessage.com/login.php>Please Try Again</a></p>";
include("bottom.php");
}
ob_end_flush();

right now with this code my password is exposed in the database showing in it's column as "Example1" instead I want it cryptic or more secure.

 

I heard MD5 is a terrible choice to make for passwords so what option would be better and how would I implement it? (I haven't made a register page yet)

 

 

[jcbones]

I suggest mcrypt.  There are plenty of examples at the link.

[gizmola]

In my opinion, the best solution is not to encrypt the password but to hash it.  A hash can not be decrypted. 

 

As entire books have been written on this subject, and it's non-trivial I'll try and limit myself to a few comments.

 

md5 is one such hash, and is not a terrible choice if you take other precautions, however, there are better hashes available -- sha1 for example.

 

It's very important that you use a salt when you're hashing the password.

 

The best practice lately, is that you hash or encrypt passwords using a large number of repeated operations.  For example, rather than hash the password once, you might hash it 500x using the result and re-hashing it over and over again.  This slows down the operation, so that people attempting brute-force hacks, or who compromise your entire user table, will face a substantial barrier to utilizing a rainbow table and determining simple matches. 

 

In your code, I'd suggest you write a simple function that does the hashing routine.  As input it requires the username, the password, the salt, and a randomly generated number of hash operations to be repeated.  Of course you need to generate and store all these in your user table, so this will require some modifications and some routines that will generate random numbers in a range, and random strings to use as salts.

 

You then compare the stored password with this result and if == the user has authenticated.

 

Do not store the password in the session. 

[AJinNYC]

To chime in, my suggestion would be to use SHA-384 or SHA-512 (both considered to be SHA2). They're more secure than SHA1. You would use the PHP function hash_hmac and set the algorithm input to SHA-384 or SHA-512.

 

http://www.php.net/manual/en/function.hash-hmac.php

Edited December 26, 2013 by AJinNYC

[trq]

If your using php5.5 just use the new password hashing extension: http://php.net/password

 

Else, use the compat library: https://github.com/ircmaxell/password_compat

[gizmola]

I hope you evaluate the advice from AJinNYC and trq, as they both provided great suggestions.  Obviously, the larger the hash, the more characters you have to store in your table for the password, but that shouldn't be a concern.