scottjcampbell Posted January 5, 2009 Share Posted January 5, 2009 Hi, i have been searching the internet for sometime for an answer to this. I would like to be able to encrypt a users password on my website, so if, for example someone managed to acces my SQL database, they would not be able to make any sense of the passwords. But i would also like to be able to view the users password if i needed to, this could be by using a php code to provide a key of some sort enabling me to view the password un-encrypted. Is this possible, if so i would be very grateful to anyone who helps me with this problem. Thanks, Scott Campbell. Quote Link to comment https://forums.phpfreaks.com/topic/139560-encrypting-password/ Share on other sites More sharing options...
bluesoul Posted January 5, 2009 Share Posted January 5, 2009 Hi, i have been searching the internet for sometime for an answer to this. I would like to be able to encrypt a users password on my website, so if, for example someone managed to acces my SQL database, they would not be able to make any sense of the passwords. But i would also like to be able to view the users password if i needed to, this could be by using a php code to provide a key of some sort enabling me to view the password un-encrypted. Is this possible, if so i would be very grateful to anyone who helps me with this problem. Thanks, Scott Campbell. Generally there's no reason to need to see the unencrypted passwords. MD5 is the standard encryption method for an average site (using the function md5()). When a user logs in you encrypt their attempt at the password, then compare it to the MD5 string in the database, and if it's a match you grant access. Quote Link to comment https://forums.phpfreaks.com/topic/139560-encrypting-password/#findComment-730056 Share on other sites More sharing options...
rhodesa Posted January 5, 2009 Share Posted January 5, 2009 encrypting is one way...so no, you can't do this. if you have a way to 'decrypt' the password, a hacker can decrypt it what reason would you need to 'see' their password Quote Link to comment https://forums.phpfreaks.com/topic/139560-encrypting-password/#findComment-730057 Share on other sites More sharing options...
premiso Posted January 5, 2009 Share Posted January 5, 2009 Generally passwords should be a 1-way md5 salted hash. If a user forgets their password you use a forgot password form to generate a new random one and email it to them. However there are plenty of encrypt/decrypt functions out there...not as secure as the straight hash they work... Encode: base64_encode Decode: base64_decode Would be the easiest/cleanest without any extra code to add to make it work. http://www.phpbuilder.com/board/showthread.php?t=10326721 There is a thread with someone who built one, you may want to use that, I do not know. Googleing "php encrypt decrypt" will pull up other scripts so you can choose. Any type of encryption can be cracked, so I highly suggest you re-think your logic and use the md5 salted hash. Quote Link to comment https://forums.phpfreaks.com/topic/139560-encrypting-password/#findComment-730058 Share on other sites More sharing options...
scottjcampbell Posted January 5, 2009 Author Share Posted January 5, 2009 Thank you, i will try this and see if it works well with my login System. Scott Campbell. Quote Link to comment https://forums.phpfreaks.com/topic/139560-encrypting-password/#findComment-730060 Share on other sites More sharing options...
rhodesa Posted January 5, 2009 Share Posted January 5, 2009 anything that is two way, especially when it's a standard (like base64) is just obfuscating. it's as safe as using cardboard for a bulletproof shield. you are better off trying to work around your need for getting the clear-text version of the password. if you elaborate on why you need the password, i can probably help you figure out a way around it Quote Link to comment https://forums.phpfreaks.com/topic/139560-encrypting-password/#findComment-730087 Share on other sites More sharing options...
scottjcampbell Posted January 5, 2009 Author Share Posted January 5, 2009 There is no specific reason, it would just be useful to be able to view it. Quote Link to comment https://forums.phpfreaks.com/topic/139560-encrypting-password/#findComment-730129 Share on other sites More sharing options...
rhodesa Posted January 5, 2009 Share Posted January 5, 2009 There is no specific reason, it would just be useful to be able to view it. well...on behalf of every future user of your site...please use a one way encryption method Quote Link to comment https://forums.phpfreaks.com/topic/139560-encrypting-password/#findComment-730132 Share on other sites More sharing options...
castis Posted January 5, 2009 Share Posted January 5, 2009 i wrote this a while back for encrypting credit card numbers. this does everything you need it to do. <?php /* use as such // this line creates a new class for you. $Enc = new Encryption(); // this line encrypts data $var = $Enc->Encrypt("Hello World!!!"); // this line decrypts it echo $Enc->Decrypt($var); */ class Encryption { private $Iv; /** * __construct() * * Checks for a cookie on the users computer for the iv. * If none exists, create a new one and go with that * * @access public * @param object * @return void */ function __construct() { $this->Configuration = array(); $this->Configuration['Algorithm'] = 'rijndael-256'; $this->Configuration['Cookie'] = 'mcc'; $this->Configuration['Cookie_Timeout'] = 900; $this->Configuration['Key'] = 'çwmƒj0rþb@nk9£¥ph§v€x7qµ¡2'; $this->Configuration['Mode'] = 'cbc'; if (empty($_COOKIE[$this->Configuration['Cookie']])) { // if the cookie for the IV is not present srand(); // make sure the seed is random $this->Iv = mcrypt_create_iv( mcrypt_get_iv_size( $this->Configuration['Algorithm'], $this->Configuration['Mode']), MCRYPT_RAND // this value is a shitty random value if srand isnt run on some machines ); // create an initialization vector setcookie( $this->Configuration['Cookie'], base64_encode($this->Iv), time() + $this->Configuration['Cookie_Timeout'], '/' ); // store the iv on the users computer } else { // if the cookie with the iv is on the users computer $this->Iv = base64_decode($_COOKIE[$this->Configuration['Cookie']]); // fetch the cookie from the users computer and decode it } } /** * Decrypt() * * @access public * @param string * @return mixed */ function Decrypt($data) { return trim(mcrypt_decrypt( $this->Configuration['Algorithm'], $this->Configuration['Key'], base64_decode($data), $this->Configuration['Mode'], $this->Iv )); } /** * Encrypt() * * @access public * @param mixed * @return string */ function Encrypt($data) { return base64_encode( mcrypt_encrypt( $this->Configuration['Algorithm'], $this->Configuration['Key'], $data, $this->Configuration['Mode'], $this->Iv ) ); } } ?> Quote Link to comment https://forums.phpfreaks.com/topic/139560-encrypting-password/#findComment-730137 Share on other sites More sharing options...
scottjcampbell Posted January 5, 2009 Author Share Posted January 5, 2009 There is no specific reason, it would just be useful to be able to view it. well...on behalf of every future user of your site...please use a one way encryption method I suppose you're right, as i have no real reason to view their passwords, the risk balanced with viewing the password is too great. Quote Link to comment https://forums.phpfreaks.com/topic/139560-encrypting-password/#findComment-730145 Share on other sites More sharing options...
Lamez Posted January 5, 2009 Share Posted January 5, 2009 so if he\she is right, then you don't have to decrypt. hash the password with salt, then when the user goes to login, hash the entered password, with the same salt for validation, and you should be fine. Quote Link to comment https://forums.phpfreaks.com/topic/139560-encrypting-password/#findComment-730158 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.