ansaurus

Question

Answer 1

+1 A:

Most basic: Hash it with MD5 or SHA1

$newpass = md5($_REQUEST['pass']);

or

$newpass = sha1($_REQUEST['pass']);

Recently I started storing the username hashed as well, so login attempts are secure using only hashed data for comparisons.

You can "salt" the hashes with extra data so if they are compromised, it's value cannot be found (try googling some simple hashed words).. i.e. use a site-wide string just to alter the standard hash like md5("mySiteSalt!!" . $_REQUEST['pass']); or something more advanced.

Fosco 2010-10-20 19:42:49

md5 is not for encryption.

Chris 2010-10-20 19:44:04

@Chris For the record, hashing is a form of encryption (albeit one-way). Regardless, MD5 should NEVER be used to store passwords. With today's rainbow tables, it's as good as plaintext.

mattbasta 2010-10-20 19:47:58

Never said hashing is not a form of encryption, I just said md5 is not for encryption. So why are you suggesting to use md5 to "encrypt" the OP's passwords. At least explain in your answer this before creating another user with convoluted sense of security by using md5 for password encryption.

Chris 2010-10-20 19:48:55

@Chris you don't want to encrypt passwords, you want to hash them. I was editing to add salting, which eliminates the rainbow table vulnerability... though I still contend that if someone gets in your database to get the hashes, no encryption is going to save you. I wouldn't "encrypt" passwords because I don't want them, and I don't want there to be a way to reverse them.

Fosco 2010-10-20 19:51:11

A per password/user salt is a better idea.

middus 2010-10-20 20:23:58

I'm happy with just SHA1 hashing. This isn't a banking system, just a forum. if someone REALLY wants to hack in and get the passwords, not much they can do with them. I'm adding hashing to provide just a little extra security.

BigMike 2010-10-20 21:06:47

Answer 2

+2 A:

Use php's crypt library. Md5 is not encryption, it is hashing.

Also, salt your passwords. Why?

Chris 2010-10-20 19:45:20

Answer 3

A:

Use crypt with some salt. Such as

$user = strip_tags(substr($_REQUEST['user'],0,32));
$plain_pw = strip_tags(substr($_REQUEST['pass'],0,32));

$password = crypt(md5($plain_pw),md5($user));

as on http://www.ibm.com/developerworks/opensource/library/os-php-encrypt/

brian_d 2010-10-20 19:46:17

Answer 4

+2 A:

If you don't care about retrieving the actual password's value (from the database encrypted value), you can run a one-way hash algorithm on it (such as sha1: http://php.net/manual/en/function.sha1.php). This function will return a specific length string (hash) which cannot be used to find the original string (theoretically). It is possible that two different strings could create the same hash (called a collision) but this shouldn't be a problem with passwords.
Example: $pass = sha1($_REQUEST['pass']);

One thing, to make it a little more secure is to add a salt to the hash and run the hash function again. This makes it more difficult to generate a password hash maliciously since the salt value is handled server-side only.
Example: $pass = sha1(sha1($_REQUEST['pass']).sha1("mySalt@$#(%"));

Drackir 2010-10-20 19:48:24

This is not a proper salt. A salt is not the same for every user of an application. Instead it is user-specific.

middus 2010-10-20 20:19:42

I used this one. It's working and doesn't need to be super cryptic.

BigMike 2010-10-20 20:45:06

Answer 5

A:

You should use SHA1 to hash your passwords for storage in the database. It's the simplest, yet most effective way to store passwords:

$password = sha1($password);

It's also exceptionally safe. Though the integrity of it is beginning to creep, it's rather easy to upgrade this function to SHA-256 (which is incredibly secure).

mattbasta 2010-10-20 19:50:47

SHA1 is too fast. See the link in my answer.

middus 2010-10-20 20:25:22

@middus It certainly is too fast, but it uses 30% more space than MD5, so at least the tables are bigger. Plus, if someone has enough access to your database to gather the hashed passwords, chances are they can steal a great deal of other unencrypted info. SHA1 isn't "great", but it'll do in 95% of scenarios.

mattbasta 2010-10-20 21:21:53

Answer 6

A:

To find out why md5, sha1 and their speedy friends might not be a good idea, you should read the post Enough With The Rainbow Tables: What You Need To Know About Secure Password Schemes by Thomas Ptacek. The gist:

Finally, we learned that if we want to store passwords securely we have three reasonable options: PHK’s MD5 scheme, Provos-Maziere’s Bcrypt scheme, and SRP. We learned that the correct choice is Bcrypt.

Note: it's PHK, not php.

middus 2010-10-20 20:15:47

Answer 7

A:

First, you should create a random user salt. Then you should store that and the password hash in the database.

$salt = md5(unique_id().mt_rand().microtime());
$pass = sha1($salt.$_REQUEST['pass']);

and save the $salt and $pass in the database. Then when they go to login you look up their row and check the hash:

$user = query('SELECT * FROM `user` WHERE username = ?', array($_REQUEST['username']));

if($user)
{
    // If the password they give maches
    if($user->pass === sha1($user->salt. $_REQUEST['pass']))
    {
        // login
    }
    else
    {
        // bad password
    }
}
else
{
    // user not found
}

Creating a user salt for each account insures rainbow tables are useless and anyone that broken into your server would have to brute-force each password.

Xeoncross 2010-10-20 20:23:19

ansaurus

tags:

views:

answers:

PHP Password Encryption Handling

related questions