Jump to content

best way to crypt a password


Go to solution Solved by gizmola,

Recommended Posts

session_start();
ob_start();

*host detail stuff here*

mysql_connect("$host", "$dbusername", "$password") or die ("cannot connect");
mysql_select_db("$db_name") or die ("cannot select DB");

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$username = stripslashes($username);
$password = stripslashes($password);
$sql = "SELECT * FROM $tbl_name WHERE username = '$username' and password='$password'";
$result = mysql_query($sql);

$count = mysql_num_rows($result);

if($count == 1) {
    $_SESSION['username'] = $username;
    $_SESSION['password'] = $password;
    header('location:login_success.php');
}

if($count == 1) {
    session_register('username');
    session_register('password');
    header('location:login_success.php');
}

else {
include("top.php");
include("style.css");
        echo "<p align=center><font size=2>Login Failed. <a href=http://www.sentuamessage.com/login.php>Please Try Again</a></p>";
include("bottom.php");
}
ob_end_flush();

right now with this code my password is exposed in the database showing in it's column as "Example1" instead I want it cryptic or more secure.

 

I heard MD5 is a terrible choice to make for passwords so what option would be better and how would I implement it? (I haven't made a register page yet)

 

 

Link to comment
https://forums.phpfreaks.com/topic/284923-best-way-to-crypt-a-password/
Share on other sites

  • Solution

In my opinion, the best solution is not to encrypt the password but to hash it.  A hash can not be decrypted. 

 

As entire books have been written on this subject, and it's non-trivial I'll try and limit myself to a few comments.

 

md5 is one such hash, and is not a terrible choice if you take other precautions, however, there are better hashes available -- sha1 for example.

 

It's very important that you use a salt when you're hashing the password.

 

The best practice lately, is that you hash or encrypt passwords using a large number of repeated operations.  For example, rather than hash the password once, you might hash it 500x using the result and re-hashing it over and over again.  This slows down the operation, so that people attempting brute-force hacks, or who compromise your entire user table, will face a substantial barrier to utilizing a rainbow table and determining simple matches. 

 

In your code, I'd suggest you write a simple function that does the hashing routine.  As input it requires the username, the password, the salt, and a randomly generated number of hash operations to be repeated.  Of course you need to generate and store all these in your user table, so this will require some modifications and some routines that will generate random numbers in a range, and random strings to use as salts.

 

You then compare the stored password with this result and if == the user has authenticated.

 

Do not store the password in the session. 

To chime in, my suggestion would be to use SHA-384 or SHA-512 (both considered to be SHA2). They're more secure than SHA1. You would use the PHP function hash_hmac and set the algorithm input to SHA-384 or SHA-512.

 

http://www.php.net/manual/en/function.hash-hmac.php

Edited by AJinNYC

I hope you evaluate the advice from AJinNYC and trq, as they both provided great suggestions.  Obviously, the larger the hash, the more characters you have to store in your table for the password, but that shouldn't be a concern.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.