Lone_Ranger Posted December 25, 2013 Share Posted December 25, 2013 session_start(); ob_start(); *host detail stuff here* mysql_connect("$host", "$dbusername", "$password") or die ("cannot connect"); mysql_select_db("$db_name") or die ("cannot select DB"); $username = mysql_real_escape_string($_POST['username']); $password = mysql_real_escape_string($_POST['password']); $username = stripslashes($username); $password = stripslashes($password); $sql = "SELECT * FROM $tbl_name WHERE username = '$username' and password='$password'"; $result = mysql_query($sql); $count = mysql_num_rows($result); if($count == 1) { $_SESSION['username'] = $username; $_SESSION['password'] = $password; header('location:login_success.php'); } if($count == 1) { session_register('username'); session_register('password'); header('location:login_success.php'); } else { include("top.php"); include("style.css"); echo "<p align=center><font size=2>Login Failed. <a href=http://www.sentuamessage.com/login.php>Please Try Again</a></p>"; include("bottom.php"); } ob_end_flush(); right now with this code my password is exposed in the database showing in it's column as "Example1" instead I want it cryptic or more secure. I heard MD5 is a terrible choice to make for passwords so what option would be better and how would I implement it? (I haven't made a register page yet) Quote Link to comment https://forums.phpfreaks.com/topic/284923-best-way-to-crypt-a-password/ Share on other sites More sharing options...
jcbones Posted December 25, 2013 Share Posted December 25, 2013 I suggest mcrypt. There are plenty of examples at the link. Quote Link to comment https://forums.phpfreaks.com/topic/284923-best-way-to-crypt-a-password/#findComment-1463079 Share on other sites More sharing options...
Solution gizmola Posted December 25, 2013 Solution Share Posted December 25, 2013 In my opinion, the best solution is not to encrypt the password but to hash it. A hash can not be decrypted. As entire books have been written on this subject, and it's non-trivial I'll try and limit myself to a few comments. md5 is one such hash, and is not a terrible choice if you take other precautions, however, there are better hashes available -- sha1 for example. It's very important that you use a salt when you're hashing the password. The best practice lately, is that you hash or encrypt passwords using a large number of repeated operations. For example, rather than hash the password once, you might hash it 500x using the result and re-hashing it over and over again. This slows down the operation, so that people attempting brute-force hacks, or who compromise your entire user table, will face a substantial barrier to utilizing a rainbow table and determining simple matches. In your code, I'd suggest you write a simple function that does the hashing routine. As input it requires the username, the password, the salt, and a randomly generated number of hash operations to be repeated. Of course you need to generate and store all these in your user table, so this will require some modifications and some routines that will generate random numbers in a range, and random strings to use as salts. You then compare the stored password with this result and if == the user has authenticated. Do not store the password in the session. Quote Link to comment https://forums.phpfreaks.com/topic/284923-best-way-to-crypt-a-password/#findComment-1463080 Share on other sites More sharing options...
AJinNYC Posted December 26, 2013 Share Posted December 26, 2013 (edited) To chime in, my suggestion would be to use SHA-384 or SHA-512 (both considered to be SHA2). They're more secure than SHA1. You would use the PHP function hash_hmac and set the algorithm input to SHA-384 or SHA-512. http://www.php.net/manual/en/function.hash-hmac.php Edited December 26, 2013 by AJinNYC Quote Link to comment https://forums.phpfreaks.com/topic/284923-best-way-to-crypt-a-password/#findComment-1463081 Share on other sites More sharing options...
trq Posted December 26, 2013 Share Posted December 26, 2013 If your using php5.5 just use the new password hashing extension: http://php.net/password Else, use the compat library: https://github.com/ircmaxell/password_compat Quote Link to comment https://forums.phpfreaks.com/topic/284923-best-way-to-crypt-a-password/#findComment-1463082 Share on other sites More sharing options...
gizmola Posted December 26, 2013 Share Posted December 26, 2013 I hope you evaluate the advice from AJinNYC and trq, as they both provided great suggestions. Obviously, the larger the hash, the more characters you have to store in your table for the password, but that shouldn't be a concern. Quote Link to comment https://forums.phpfreaks.com/topic/284923-best-way-to-crypt-a-password/#findComment-1463102 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.