Encrypt password before storing in database?

Question

I have a password being passed from my iPhone app to the database via a php script, user.php.

The variable $pass is populated by the following:

$pass = str_replace("'", "", $_REQUEST['pass']);

How can I encrypt this before it's inserted into my database? I've read a little about the different techniques, but looking for the best way to manage this.

Thanks to everyone.

Answer 1

While the answer below is technically still correct, php has new recommendations with regards to the hashing algorithms to use. Their recommendation, as of php >= 5.5.0, is to use the password_hash and password_verify functions to hash and verify hashed passwords . As an added benefit, these functions automatically include an individualized salt as part of the returned hash, so you don't need to worry about that explicitly.

---

If you don't care about retrieving the actual password's value (from the database encrypted value), you can run a one-way hash algorithm on it (such as sha1). This function will return a specific length string (hash) which cannot be used to find the original string (theoretically). It is possible that two different strings could create the same hash (called a collision) but this shouldn't be a problem with passwords.
Example: $pass = sha1($_REQUEST['pass']);

One thing, to make it a little more secure is to add a salt to the hash and run the hash function again. This makes it more difficult to generate a password hash maliciously since the salt value is handled server-side only.
Example: $pass = sha1(sha1($_REQUEST['pass']).sha1("mySalt@$#(%"));

Answer 2

Use php's crypt library. Md5 is not encryption, it is hashing.

Also, salt your passwords. Why?

• This answer
• Another good answer