php crypt md5 question

[cloudll]

Hi guys, this may be a really stupid question, but im pretty stupid so please bare with me

 

im currently using this bit of code to encrypt and decrypt my passwords.

 

$cleanpw = crypt(md5($pw),md5($user));

 

i want to crypt my passwords without the $user variable. I tried a few different ways of changing the code with no luck

 

when i used:

 

$cleanpw = crypt(md5($pw));

 

it put an encrypted password into my database but when i tried to log in and decrypt it, it doesnt compare properly and just spits out the wrong password error.

[Muddy_Funster]

ok, to the best of my knowledge md5 is a one way encryption.  the problem you are having is that crypt requres a second string as a salt.  simply use md5($password) if you don't want to use a salt, although I strongly recomend that you keep a salt in place.

[gizmola]

This is not encryption/decryption, you are using a series of redundant one way hashes.  A hash can not be "decrypted".  All you can do is accept input, perform the same hash, and then compare the generated hash with the saved hash.  This is often preferred over actual encryption/decryption because a hash can not be reversed, so if your system is compromised, the user's original passwords can not be easily discovered, and if it is a good password (not based on a real word, name or phrase) it most probably can not be found out.

 

There is a technique where people can use a large file of typical passwords and generate all the hashes, using that to compare to stored passwords. 

 

To combat this, people use a "salt" which is some additional input added to the original input that is meant to deter people who compromise the system from comparing the stored passwords to their rainbow table of precomputed hash values.

 

Let's say your password is:  'password'.

 

Every rainbow table is going to have already generated the hash value for 'password'.  However, if a salt was used:

 

$password = 'password';  // bad password, but users do this stupid stuff all the time
$salt = 'this is a 34343really 783 good salt ok?';

$hashpw = crypt($password, $salt);

 

The difficulty with this method is that you need to store both the password AND the salt used to generate it in your database record, so that you can duplicate the operation when it's time to accept user input and generate a hash to compare with the stored hash.  Many people will do this, or use something else in the user record as the salt.  In fact you could easily use the password itself as the basis for a salt:

 

$cleanpw = crypt($pw, md5($pw));

 

Now to check the pw:

 

if ($storedpw == crypt($_POST['password'], md5($_POST['password'])) {
  // login user
} else {
  // display 'could not login, please check and try again'
} 

 

If you use crypt as in your example, without providing a salt parameter, crypt basically implements a salt algorithmically in a manner similar to the one I showed, based on the original input, without you having to store it.  There are more details on the manual page:  crypt as well as some warnings about the auto-generated salt created by crypt which depends on the server environment and installed packages.

 

 

[cloudll]

thank you very much for that detailed answer. i found it very helpfull