MD5 vs Encrypt vs ???

[monkeytooth]

Alright Im sure, almost positive this is been asked in some form way shape or another here on this site at one point in time or another.. but I'm going to ask again, as I'm sure since the last time It may have asked new stuff has come into light..

 

Anyway. I want to take a password (user provided), and turn it into something secure, and unique. But, I'm not sure which way to go.. I want to do this with php.. So what to choose, MD5, encrypt(), something else? I'm looking for opinions mostly, or good methods to implement encrypting the password so to speak..

[Orio]

Go for a hashing algorithm like md5() or sha1() (etc').

A good way to tighten the security would be adding a constant salt to the hashing:

 

<?php

$salt = "32@952y53f322#39"; //This string has to stay constant all the time.
$hash = md5($_POST['pass'].$salt);

?>

Example- check if inputed password exists in the database
<?php

$hash = md5($_POST['inputted_pass'].$salt); //Same $salt from previous script
$result = mysql_query("SELECT * FROM users WHERE pass = '$hash'");
if(mysql_num_rows($result) > 0)
  echo "user exists";

?>

 

 

Orio.

[Goldeneye]

Well I use md5() for encrypting password just because I think it's a little more hassle free. With md5(), you can only get one hash from a string of characters; but crypt() can output different hashes for the same string of characters. To be honest, I've never tried to use crypt(), so I don't know what it's like to use.

[cooldude832]

just because you cover up 1 part doesn't make you secure.  There are about a million ways a person can get into you db, data etc.  the goal is to try and maximize your protection so that they have a hard time getting in.

[monkeytooth]

I think I am gonna go with the md5 concept.. its worked for me in the past, I was just looking for opinions on if anything was better then..

 

As far as getting into a database unauthorized, I know the potential risks still exists, and I am intent on taking what I know, and attempt to keep a good current knowledge there of on the subject.. and implementing it in to the over all structure to make it more secure.

 

As far as this matter goes all it for is so someone cant as easily crack a password to get in, and what would be the best method of taking your common user passwords which usually consist of easy dictionary words and encrypting them in one sense of the word or another.

 

I want to thank those of you who did reply in helping me figure the route I wanna go, I'm intent on keeping this open a bit longer to get more opinions though as i am just curious

[Lamez]

what is salt?

 

Also could you do 2 encryption, like encrypt a string, then in encrypt that string

 

<?php

$pass = "mypassword";

$sha1 = sha1($pass);
$md5 = md5($sha1);

echo $md5;

?>

[ShogunWarrior]

Just do a salted SHA1 hash. Encryption is a different thing, you need a hash.