Jump to content

Recommended Posts

i always encrypt with md5 !!!!!

 

but i also store a rand(10000,99999) on the back end in a hidden feild when a user sign up and pass it along

incase there is a javascript that can dycrypt md5 u can never be to careful !

 

// that os assuming u are talking about a login script....

if not sorry for the extra input but def md5() :)

Link to comment
https://forums.phpfreaks.com/topic/239773-password-encryption/#findComment-1231682
Share on other sites

md5 is easily broken, and sha1 is not much better. Don't use them for anything regarding security. They are useful for quick hashes for things like verifying files, but that's it.

 

As said, you don't want to encrypt passwords. You want to hash them. Hashes are one-way encryption and can not be reversed. Your best bet is to use hash_hmac with SHA-512, a unique salt and a long key.

 

If you want something secure, though, find an implementation that has already been vigorously tested. This kind of thing is very easy to get wrong.

Link to comment
https://forums.phpfreaks.com/topic/239773-password-encryption/#findComment-1231753
Share on other sites

hashing is a one way street. 

 

The password that was created upon registration is hashed and stored in the database.  Now, everytime the user signs in, that password is hashed and tested against the one existing in the database.  If they do not match- you can be sure the person trying to sign in is not using the correct password.

 

Hope that helps.

 

Link to comment
https://forums.phpfreaks.com/topic/239773-password-encryption/#findComment-1231960
Share on other sites

One more question...

 

When somebody tried to log-in, how do I compare the hashed/encrypted password to the one entered? Do I convert the one in DB back to readable characters, or convert the one entered to try to match the data in the DB?

 

you compare against the value stored in the database. since A hash only goes one way you can't decrypt it. so the only way to check is to see if the hashed user input is equal to the already hashed stored value.

 

for example.

 

$database_value = '810c01753939495f6e23632d19c10d01';

$user_input = 'fatmonkeys';

if(md5($user_input)== $database_value){
    echo 'the user input is equal to the stored value<br />
            fatmonkeys hashed with md5 is equal to:<br />
            810c01753939495f6e23632d19c10d01';
}else{
    echo 'userinput is invalid';
}

Link to comment
https://forums.phpfreaks.com/topic/239773-password-encryption/#findComment-1232037
Share on other sites

You don't encrypt passwords; you salt and hash them with the strongest hash available on your system. If SHA512 is available, use that. An example.

 

Did you read what you posted?

 

This means that for certain purposes such as digital signatures' date=' stronger algorithms like SHA-256 and SHA-512 are now being recommended. For generating password hashes, [b']SHA-1 still provides a more than adequate level of security for most applications today[/b].

 

 

md5 is easily broken, and sha1 is not much better. Don't use them for anything regarding security. They are useful for quick hashes for things like verifying files, but that's it.

 

With a salt (as you actually go onto suggest anyway), md5 and sha1 are not easily "broken". Could you elaborate on how you'd break them exactly? There's numerous threads on PHPFreaks that suggest prove the exact opposite to what you're saying.

Link to comment
https://forums.phpfreaks.com/topic/239773-password-encryption/#findComment-1232097
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.