Jump to content


Photo

password encryption


  • Please log in to reply
6 replies to this topic

#1 Woodburn2006

Woodburn2006
  • Members
  • PipPipPip
  • Advanced Member
  • 214 posts

Posted 13 August 2006 - 07:29 PM

i am doing a login system for a content management page and i was just wondering what the best way of encrypting passwords is. i have read various methods but i was just wondering if anybody could give me any pointers.

thanks

#2 Orio

Orio
  • Staff Alumni
  • Advanced Member
  • 2,491 posts

Posted 13 August 2006 - 08:19 PM

There's always a safer and better way. The oridanry way is using functions like md5() or sha1() on the passwords.
Sometimes people add "salts". A "salt" is a string added to every password before encrypting it. An example:
$salt="gjfgwoeaq";
$hash=md5($salt.$password);

This makes the password encryption better.

Orio.
Think you're smarty?

(Gone until 20 to November)

#3 Woodburn2006

Woodburn2006
  • Members
  • PipPipPip
  • Advanced Member
  • 214 posts

Posted 13 August 2006 - 08:23 PM

cool, so once the password is encrypted, how do i use that?

say somebody uses the password 'password'. how will it be stored in the database and how will i have it decrypted

#4 Orio

Orio
  • Staff Alumni
  • Advanced Member
  • 2,491 posts

Posted 13 August 2006 - 08:29 PM

That's the nice thing about md5/sha1 and others. It cant be directly decrypted, it's a one way trip :D It can only be guessed.
Let's say someone uses the pass "password". On the first time he registers, you store in the database md5("password"). Every time he wants to log in, you check if the encryption of the password entered is in the database. If the encryption of the password the user currently entered is the same as the one in the database, that means that the original passwords (before the encryption) are the same :)

Orio.
Think you're smarty?

(Gone until 20 to November)

#5 Pudgemeister

Pudgemeister
  • Members
  • PipPipPip
  • Advanced Member
  • 94 posts
  • LocationCornwall, England, UK,

Posted 13 August 2006 - 08:38 PM

this has helped me alot peeps-thanx for postin this topic
[div align="center"][a href="http://imageshack.us" target="_blank"][/a]
[/div]

#6 Woodburn2006

Woodburn2006
  • Members
  • PipPipPip
  • Advanced Member
  • 214 posts

Posted 13 August 2006 - 08:48 PM

so when he comes to login and he types 'password' in the password box. would i then just compare what he has enterd to what is in the DB and that would work or do i need to compare what he enters to md5("pass from DB") ?

#7 Orio

Orio
  • Staff Alumni
  • Advanced Member
  • 2,491 posts

Posted 13 August 2006 - 08:50 PM

No. The password in the db was already encrypted when he registered. Each time he logs in, we md5 his pass and then compare.

Orio.
Think you're smarty?

(Gone until 20 to November)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users