Which encrpytion method should I use?

[jordanwb]

In my site I do a simple MD5 hash of the user's password and test it against the saved password. Now given enough time it is possible to break MD5 via Collision (I actually made a C# program to do this*). I've heard of SHA256, and SHA512 but I can't find a PHP function to do that. I've also heard of Salt, what's that? My main question is what encryption methods do you prefer and what are the benefits over plain md5? Any do's and don'ts regarding certain encryption methods?

 

* But it took me several hours to break a 5 letter password.

[jordanwb]

I found out what Salt is but I have an issue with that. Given code:

 

function l33t_hash ($password, $salt)
{
return md5 ($salt.$password.$salt);
}

 

The value that's passed into MD5 is incredibly long. But you would need to save the value of $salt in the database. Wouldn't this be a bit of a security problem? I ask this because if you can get the result of the hash you could get the salt and figure out how the salt and original password work together. So I don't see how I would benefit except by making Rainbow Tables almost useless.

[Bladescope]

To be quite honest, I sound stupid now, but I just go with simple encrypt()

[jordanwb]

But can't you decrpyt that with decrpyt()?

[Bladescope]

and this is why I sound stupid

:3

[sstangle73]

it would be nice tho if you want to be able to do a forgot password where it doesnt change the users password?

 

that must be what people use because with MD5 its one way so you have to issue them another pw right?

[jordanwb]

that must be what people use because with MD5 its one way so you have to issue them another pw right?

 

I'm not sure what you're asking.

[sstangle73]

me either i dont understand my self sometimes=]

 

but uh i was saying if someone forgets there password in MD5 theres no way to retrive it you would have to generate them a new one.  with encrypt you can use the decrypt to give them it back

[jordanwb]

Yeah but anyone and their uncle can use that weakness to get the admin's password.

[sstangle73]

right.

[jack5100nv]

Use Mcrypt. It is a Rijndael 256 bit encryption. Very secure.

 

Function based code: http://www.w3courses.com/index.php?subaction=showfull&id=1206924756&ucat=12&category=12&catdisplay=PHP

 

Class based code: http://www.w3courses.com/index.php?subaction=showfull&id=1206924912&ucat=12&category=12&catdisplay=PHP

 

The above code will let you encrypt or decrypt the text by calling functions or class methods.

[jordanwb]

In the first link, the page has a decrpyt method which sounds instantly like a security problem.

[jack5100nv]

In the first link, the page has a decrpyt method which sounds instantly like a security problem.

 

Not if you are using a long and hard to guess key. You need the key and the decrpyt function to decrypt the text. The function by itself won't decrypt the data unless you have the right key.