Re: [PHP] Adding encryption to passwords
Thodoris wrote: So what do you think is the best way to use crypt, mcrypt, hash or perhaps md5 and what are really the differences because I am not sure if I get it right. We use md5 for that sort of thing. /Per Jessen, Zürich -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Adding encryption to passwords
Thodoris wrote: So what do you think is the best way to use crypt, mcrypt, hash or perhaps md5 and what are really the differences because I am not sure if I get it right. We use md5 for that sort of thing. /Per Jessen, Zürich I've noticed that crypt uses all the available encryption algorithms that you have. The manual gives an example to check what is available: ?php echo pre; if (CRYPT_STD_DES == 1) { echo 'Standard DES: ' . crypt('rasmuslerdorf', 'rl') . \n; } if (CRYPT_EXT_DES == 1) { echo 'Extended DES: ' . crypt('rasmuslerdorf', '_J9..rasm') . \n; } if (CRYPT_MD5 == 1) { echo 'MD5: ' . crypt('rasmuslerdorf', '$1$rasmusle$') . \n; } if (CRYPT_BLOWFISH == 1) { echo 'Blowfish: ' . crypt('rasmuslerdorf', '$2a$07$rasmuslerd...$') . \n; } ? I addition to that I know that md5 is not the strongest way to encrypt but I guess it is enough for me. -- Thodoris
Re: [PHP] Adding encryption to passwords
Hi guys I have developed an intranet web interface with user access. I am storing the passwords into a mysql table as raw text (I know not so secure). So I am adding group access features and I am thinking to encrypt the passwords because this seems to grow as a project although it started as a simple web tool. So what do you think is the best way to use crypt, mcrypt, hash or perhaps md5 and what are really the differences because I am not sure if I get it right. Encryption is reversible, hashing is not. So hashing is probably the best bet as an evil hacker will never be able to reverse them. The process using hashes is: 1. Get the clear text password 2. Hash it 3. Store the hash and throw away the clear text version Now when it comes to verifying a login the process is: 1. Get what the user has provided 2. Hash it (using the same as what you did when you first got the password) 3. Compare it to what you already have. If they match, then the result is good, if not, then not. Store the hashed version in the database, it's not reversible. You should still be careful with it though (ie don't go around disclosing it to Mr. Joe Hacker). BTW md5() is a form of hashing. -- Richard Heyes HTML5 Graphing for IE7, FF, Chrome, Opera and Safari: http://www.phpguru.org/RGraph -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Adding encryption to passwords
Hi guys I have developed an intranet web interface with user access. I am storing the passwords into a mysql table as raw text (I know not so secure). So I am adding group access features and I am thinking to encrypt the passwords because this seems to grow as a project although it started as a simple web tool. So what do you think is the best way to use crypt, mcrypt, hash or perhaps md5 and what are really the differences because I am not sure if I get it right. Encryption is reversible, hashing is not. So hashing is probably the best bet as an evil hacker will never be able to reverse them. The process using hashes is: 1. Get the clear text password 2. Hash it 3. Store the hash and throw away the clear text version Now when it comes to verifying a login the process is: 1. Get what the user has provided 2. Hash it (using the same as what you did when you first got the password) 3. Compare it to what you already have. If they match, then the result is good, if not, then not. Store the hashed version in the database, it's not reversible. You should still be careful with it though (ie don't go around disclosing it to Mr. Joe Hacker). BTW md5() is a form of hashing. Thanks Richard for clearing this out but I meant hashing on the first place. I was aware of the process but I was wondering what is the best way to do it. Can you please give a some sample piece on how you do this. PS I will be extra careful with the terms cause it really makes a difference. -- Thodoris
Re: [PHP] Adding encryption to passwords
Thanks Richard for clearing this out but I meant hashing on the first place. And yet you mentioned mcrypt. Clue is in the name. Can you please give a some sample piece on how you do this. There's undoubtedly numerous examples out there. Try the PHP manual to start with. -- Richard Heyes HTML5 Graphing for IE7, FF, Chrome, Opera and Safari: http://www.phpguru.org/RGraph -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Adding encryption to passwords
You can try the MySQL built in functions. Ie encode(str, key) insert into test (password) values (encode(mypass,some key)); You can then use the decode() functions in your matching queries. You also need to consider security of your php code, as the key to decode will be in the query strings. There are other built-in encryptions functions in MySQL you can explore. -Original Message- From: Thodoris [mailto:[EMAIL PROTECTED] Sent: 19 September 2008 10:25 AM To: PHP General list Subject: [PHP] Adding encryption to passwords Hi guys I have developed an intranet web interface with user access. I am storing the passwords into a mysql table as raw text (I know not so secure). So I am adding group access features and I am thinking to encrypt the passwords because this seems to grow as a project although it started as a simple web tool. So what do you think is the best way to use crypt, mcrypt, hash or perhaps md5 and what are really the differences because I am not sure if I get it right. -- Thodoris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Adding encryption to passwords
Per Jessen wrote: We use md5 for that sort of thing. there is also SHA-1 bit more overhead, bit more secure than md5 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Adding encryption to passwords
I use SHA-256 (use hash - php.net/manual/en/function.hash.php), because its a little bit more secure then md5 or SHA-1. BTW: Don't forget the salts.. -- Viele Grüße Dominik Strauß - www.n3or.de Webentwicklung, PHP und Linux Mobil: 0178 4940605 Internet: www.n3or.de E-Mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Adding encryption to passwords
I use SHA-256 (use hash - php.net/manual/en/function.hash.php), because its a little bit more secure then md5 or SHA-1. BTW: Don't forget the salts.. Thanks for the feedback guys it was quite helpful. -- Thodoris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Adding encryption to passwords
-Original Message- From: Thodoris [mailto:[EMAIL PROTECTED] Sent: Friday, September 19, 2008 7:42 AM To: [EMAIL PROTECTED] Cc: php-general@lists.php.net Subject: Re: [PHP] Adding encryption to passwords I use SHA-256 (use hash - php.net/manual/en/function.hash.php), because its a little bit more secure then md5 or SHA-1. BTW: Don't forget the salts.. Thanks for the feedback guys it was quite helpful. Be wary, though--the salt suggestion is good advice. It helps to avoid what is known as rainbow cracking, where basically a dictionary is hashed and used to brute-force your encrypted hash by comparison. Salt is just a bit of extra text (a difficult combination to guess) hashed in with the text you are crypting. I.e., imagine you have a function hash() which receives input text and generates a hash from it (md5, sha-1, whatever): $hashedText = hash(1-+ThiS/iS[[My592SaLT!!/ . $textToHash); You could take it to the next level like phpBB does and lock it down further: $salt = 1-+ThiS/iS[[My592SaLT!!/; $hashedText = hash(hash($salt) . hash($salt . $textToHash) ...either example makes it much more difficult for a cracker than just hashing a dictionary and trying each result. HTH, Todd Boyd Web Programmer
Re: [PHP] Adding encryption to passwords
Per Jessen wrote: Thodoris wrote: So what do you think is the best way to use crypt, mcrypt, hash or perhaps md5 and what are really the differences because I am not sure if I get it right. We use md5 for that sort of thing. /Per Jessen, Zürich sha 256 is my prefered encryption, no collision to speak of or decrytion tables; also returns back a 64char string; which can be stored in a mysql BINARY(64) column which is v fast with the appropriate index. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Adding encryption to passwords
On Sep 19, 2008, at 9:00 AM, Nathan Rixham wrote: Per Jessen wrote: Thodoris wrote: So what do you think is the best way to use crypt, mcrypt, hash or perhaps md5 and what are really the differences because I am not sure if I get it right. We use md5 for that sort of thing. /Per Jessen, Zürich sha 256 is my prefered encryption, no collision to speak of or decrytion tables; also returns back a 64char string; which can be stored in a mysql BINARY(64) column which is v fast with the appropriate index. If you're using MySQL: http://dev.mysql.com/doc/refman/5.0/en/encryption-functions.html We use AES de/encryption. Works well. =D ~Philip -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php