Encrypting passwords in PHP

[kayla]

I am creating a client zone for a company as part of a uni project.

 

I was thinking of creating a php page for employees to log in and edit or add passwords for clients.

 

My only problem comes when encrypting the passwords.

I've heard of salting and hashing but I'm not sure of what would be best to use.

The data is being accessed by the clients is on an Access db (not ideal for multiple access, i know)

 

Also, when the client logs in with their password will it automatically be recognised?

Or will i need code which de-encrypts it?

 

Sorry if I don't make much sense, but any help would be greatly appreciated! 

[oni-kun]

Hashing cannot be reversed, technically. Adding salt will remove the attacker's ability to use Rainbow tables (precalculated hash attacks basically) on the hash. It's faster and recommended to use hashing, much faster than decrypting.

<?php  
$password = 'mypassword';  
$salt=')_*]$';  
$saltedHash = md5($pass . $salt);  
echo $saltedHash;  
?>

When the user enters his password, it rehashes it, sends it to the DB and checks if the password hashes are the same. Straightforward from there.

if ( (md5($_POST['...']) . $salt) == xxxxxxxxxxxxx ) {//hash from database 
  //so on.. allow them to change their pass.
}

[kayla]

Thanks alot!

 

I wasn't sure, as when I was googling about it, I found a couple of blogs that said hashing was a bad idea but adding 'salt' seems to be a sensible idea in order to make it more secure.