Encrypting Password

[scottjcampbell]

Hi, i have been searching the internet for sometime for an answer to this. I would like to be able to encrypt a users password on my website, so if, for example someone managed to acces my SQL database, they would not be able to make any sense of the passwords. But i would also like to be able to view the users password if i needed to, this could be by using a php code to provide a key of some sort enabling me to view the password un-encrypted.

 

Is this possible, if so i would be very grateful to anyone who helps me with this problem.

 

Thanks, Scott Campbell.

[bluesoul]

Hi, i have been searching the internet for sometime for an answer to this. I would like to be able to encrypt a users password on my website, so if, for example someone managed to acces my SQL database, they would not be able to make any sense of the passwords. But i would also like to be able to view the users password if i needed to, this could be by using a php code to provide a key of some sort enabling me to view the password un-encrypted.

 

Is this possible, if so i would be very grateful to anyone who helps me with this problem.

 

Thanks, Scott Campbell.

 

Generally there's no reason to need to see the unencrypted passwords.  MD5 is the standard encryption method for an average site (using the function md5()).  When a user logs in you encrypt their attempt at the password, then compare it to the MD5 string in the database, and if it's a match you grant access.

[rhodesa]

encrypting is one way...so no, you can't do this. if you have a way to 'decrypt' the password, a hacker can decrypt it

 

what reason would you need to 'see' their password

[premiso]

Generally passwords should be a 1-way md5 salted hash. If a user forgets their password you use a forgot password form to generate a new random one and email it to them.

 

However there are plenty of encrypt/decrypt functions out there...not as secure as the straight hash they work...

 

Encode: base64_encode

 

Decode: base64_decode

 

Would be the easiest/cleanest without any extra code to add to make it work.

 

http://www.phpbuilder.com/board/showthread.php?t=10326721

 

There is a thread with someone who built one, you may want to use that, I do not know. Googleing "php encrypt decrypt" will pull up other scripts so you can choose.

 

 

Any type of encryption can be cracked, so I highly suggest you re-think your logic and use the md5 salted hash.

 

[scottjcampbell]

Thank you, i will try this and see if it works well with my login System.

 

Scott Campbell.

[rhodesa]

anything that is two way, especially when it's a standard (like base64) is just obfuscating. it's as safe as using cardboard for a bulletproof shield.

 

you are better off trying to work around your need for getting the clear-text version of the password. if you elaborate on why you need the password, i can probably help you figure out a way around it

[scottjcampbell]

There is no specific reason, it would just be useful to be able to view it.

[rhodesa]

There is no specific reason, it would just be useful to be able to view it.

 

well...on behalf of every future user of your site...please use a one way encryption method

[castis]

i wrote this a while back for encrypting credit card numbers. this does everything you need it to do.

 

<?php

/*
use as such

// this line creates a new class for you.
$Enc = new Encryption(); 

// this line encrypts data
$var = $Enc->Encrypt("Hello World!!!");

// this line decrypts it
echo $Enc->Decrypt($var);

*/

class Encryption {

private $Iv;

/**
 * __construct()
 *
 * Checks for a cookie on the users computer for the iv.
 * If none exists, create a new one and go with that
 *
 * @access	public
 * @param	object
 * @return	void
 */
function __construct() {
	$this->Configuration = array();

	$this->Configuration['Algorithm'] = 'rijndael-256';
	$this->Configuration['Cookie'] = 'mcc';
	$this->Configuration['Cookie_Timeout'] = 900;
	$this->Configuration['Key'] = 'çwmƒj0rþb@nk9£¥ph§v€x7qµ¡2';
	$this->Configuration['Mode'] = 'cbc';

	if (empty($_COOKIE[$this->Configuration['Cookie']])) { // if the cookie for the IV is not present
		srand(); // make sure the seed is random
		$this->Iv = mcrypt_create_iv(
			mcrypt_get_iv_size(
				$this->Configuration['Algorithm'], 
				$this->Configuration['Mode']), 
			MCRYPT_RAND // this value is a shitty random value if srand isnt run on some machines
			); // create an initialization vector

		setcookie(
			$this->Configuration['Cookie'], 
			base64_encode($this->Iv),
			time() + $this->Configuration['Cookie_Timeout'],
			'/'
			); // store the iv on the users computer
	} else { // if the cookie with the iv is on the users computer
		$this->Iv = base64_decode($_COOKIE[$this->Configuration['Cookie']]); // fetch the cookie from the users computer and decode it
	}
}

/**
 * Decrypt()
 *
 * @access	public
 * @param	string
 * @return	mixed
 */
function Decrypt($data) {	
	return trim(mcrypt_decrypt(
		$this->Configuration['Algorithm'], 
		$this->Configuration['Key'], 
		base64_decode($data), 
		$this->Configuration['Mode'], 
		$this->Iv
		));
}

/**
 * Encrypt()
 *
 * @access	public
 * @param	mixed
 * @return	string
 */
function Encrypt($data) {
	return base64_encode(
			mcrypt_encrypt(
				$this->Configuration['Algorithm'], 
				$this->Configuration['Key'], 
				$data, 
				$this->Configuration['Mode'], 
				$this->Iv
			)
		); 
}

}

?>

[scottjcampbell]

There is no specific reason, it would just be useful to be able to view it.

 

well...on behalf of every future user of your site...please use a one way encryption method

I suppose you're right, as i have no real reason to view their passwords, the risk balanced with viewing the password is too great.

[Lamez]

so if he\she is right, then you don't have to decrypt.

 

hash the password with salt, then when the user goes to login, hash the entered password, with the same salt for validation, and you should be fine.