Encrypting passwords for database use and verifying it when logging in

[scrubbicus]

I was looking for a way to encrypt the password that's put into a database when a user signs up then whenever they're going to log back in I can decrypt it to check it against the password they entered.

 

I've been looking for a way I stumbled across md5 a lot but there were dozens of mixed opinions on whether it was one-way and your never getting back the original string or there is a way to decrypt it but no one was saying how.

 

Any help appreciated. Thanks.

[Garethp]

You can't decrypt it, but you don't need to. Do this

 

if(md5($LoginPass) == $Encryptedfromdatabased)

{

//they are the same

}

[GingerRobot]

I've been looking for a way I stumbled across md5 a lot but there were dozens of mixed opinions on whether it was one-way and your never getting back the original string or there is a way to decrypt it but no one was saying how.

 

md5 != encryption. It's a hashing algorithm. As such, it cannot be decrypted and is one-way. You may be able to use reverse-lookup tables(aka rainbow tables)/and or brute force in order to find another string generating the same hash -- but you cannot guarantee to get the original back. There was a discussion here about this too. The thread's a few pages long though, so you might get bored.

 

In short, use MD5 + a salt to secure your passwords. Then, as Garethp says, you hash the inputted password (along with the same salt) and compare it against the original.

[Daniel0]

You can't decrypt it

 

If you've encrypted something then you can decrypt it. An encryption function is by definition injective.

[GingerRobot]

You can't decrypt it

 

If you've encrypted something then you can decrypt it. An encryption function is by definition injective.

 

I'm pretty sure Gareth was talking about MD5.