[SOLVED] wich encryption should I use for my passwords?

[Yeodan]

I'm making a fantasy mmorpg browser game.

I've read all kind of things about security and encrypting passwords.

 

I'm just wondering wich method is best for ecrypting my passwords?

Or what are the advantages/disadvatages of each method?

[Vermillion]

Are you sure you want to encrypt passwords? Because the best move is usually to hash the passwords (hashing passwords and encrypting them are different things).

 

There are 2 PHP functions that can hash passwords: sha1() and md5(). If I remember correctly, sha1() uses a 64bits (or less?) hashing algorithm, whereas md5() uses 128bits, if I remember correctly. I always heard that md5() was safer, so I always use that one.

[the182guy]

Depends what functionality you want to achieve. Do you want to be able to decrypt the password? Also depends on what methods are available to you.

 

The most common method for this is to use a message digest algorithm to encode the password.

 

Use the hash_algos() function to get a list of message digest (only one way - no decryption) algorithms available on your installation.

 

The most common is MD5 or SHA. These will turn your password into a semmingly random string, they are designed to be one-way. SHA1 in my experience is particularly weak. However you can use SHA256 or SHA512.

[awpti]

Easiest method is md5(). It's a one-way hash and is secure enough for most purposes. If you want true security, wrap the password in a 128 char "key", eg;

 

keyprefix_password_keypostfix

 

This makes your md5()'d password damned near unbreakable. Caveat; if you lose either key, all users will have to reset their passwords.