Password Encryption

[HDFilmMaker2112]

What would be the best password encryption to use... I've seen MD5, SHA1, SHA256, and SHA512.. but I've recently posts suggesting that bcrypt or CRYPT_BLOWFISH is a better method? The will be my first attempt at password encryption.

[YoungNate_Black_coder]

i always encrypt with md5 !!!!!

 

but i also store a rand(10000,99999) on the back end in a hidden feild when a user sign up and pass it along

incase there is a javascript that can dycrypt md5 u can never be to careful !

 

// that os assuming u are talking about a login script....

if not sorry for the extra input but def md5()

[boompa]

You don't encrypt passwords; you salt and hash them with the strongest hash available on your system. If SHA512 is available, use that. An example.

[redixx]

md5 is easily broken, and sha1 is not much better. Don't use them for anything regarding security. They are useful for quick hashes for things like verifying files, but that's it.

 

As said, you don't want to encrypt passwords. You want to hash them. Hashes are one-way encryption and can not be reversed. Your best bet is to use hash_hmac with SHA-512, a unique salt and a long key.

 

If you want something secure, though, find an implementation that has already been vigorously tested. This kind of thing is very easy to get wrong.

[boompa]

To expand on redixx's excellent suggestion, try phpass.

[HDFilmMaker2112]

One more question...

 

When somebody tried to log-in, how do I compare the hashed/encrypted password to the one entered? Do I convert the one in DB back to readable characters, or convert the one entered to try to match the data in the DB?

[meltingpoint]

hashing is a one way street. 

 

The password that was created upon registration is hashed and stored in the database.  Now, everytime the user signs in, that password is hashed and tested against the one existing in the database.  If they do not match- you can be sure the person trying to sign in is not using the correct password.

 

Hope that helps.

 

[cssfreakie]

One more question...

 

When somebody tried to log-in, how do I compare the hashed/encrypted password to the one entered? Do I convert the one in DB back to readable characters, or convert the one entered to try to match the data in the DB?

 

you compare against the value stored in the database. since A hash only goes one way you can't decrypt it. so the only way to check is to see if the hashed user input is equal to the already hashed stored value.

 

for example.

 

$database_value = '810c01753939495f6e23632d19c10d01';

$user_input = 'fatmonkeys';

if(md5($user_input)== $database_value){
    echo 'the user input is equal to the stored value<br />
            fatmonkeys hashed with md5 is equal to:<br />
            810c01753939495f6e23632d19c10d01';
}else{
    echo 'userinput is invalid';
}

[Adam]

You don't encrypt passwords; you salt and hash them with the strongest hash available on your system. If SHA512 is available, use that. An example.

 

Did you read what you posted?

 

This means that for certain purposes such as digital signatures' date=' stronger algorithms like SHA-256 and SHA-512 are now being recommended. For generating password hashes, [b']SHA-1 still provides a more than adequate level of security for most applications today[/b].

 

 

md5 is easily broken, and sha1 is not much better. Don't use them for anything regarding security. They are useful for quick hashes for things like verifying files, but that's it.

 

With a salt (as you actually go onto suggest anyway), md5 and sha1 are not easily "broken". Could you elaborate on how you'd break them exactly? There's numerous threads on PHPFreaks that suggest prove the exact opposite to what you're saying.

[HDFilmMaker2112]

Alright... I made my own cipher that converts the password to another string... then from there I'm going to use MD5 + salt , and then SHA512 on the MD5 Hash... or would this be complete over kill?

 

hash('sha512',(md5s(cipher($string))))