Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Encrypting/Decrypting Passwords to and from a MySQL database

Tags:

php

mysql

encryption

I'm starting to create a user system for my website, and what I want to do is to have the passwords encrypted, rather than plaintext. I'm using PHP/MySQL, so I figured crypt() is a good place to start. However, I'm brand new to cryptography like this, and I'm having trouble understanding exactly how it works. Does anybody know how to implement, at the simplest level, a way for passwords to be stored as an encrypted string, but always be able to be decrypted, without a security issue?

like image 974
AKor Avatar asked Feb 20 '11 18:02

AKor

3 Answers

Passwords should be hashed, not encrypted. That is, you should not be able to decrpyt the password. Instead, you should compare hashes.

  1. User sets password $password = 'hX4)1z'
  2. You get hash of password and store to DB:

#

$pw = hash_hmac('sha512', 'salt' . $password, $_SERVER['site_key']);
mysql_query('INSERT INTO passwords (pw) VALUES ('$pw');
  1. Customer comes back later. They put in their password, and you compare it:

#

mysql_query('SELECT pw FROM passwords WHERE user_id = ?');
//$pw = fetch

if ($pw == hash_hmac('sha512', 'salt' . $_REQUEST['password'], $_SERVER['site_key']) {

   echo "Logged in";

}
like image 51
Explosion Pills Avatar answered Sep 21 '22 12:09

Explosion Pills

PHP has some built-in has functions, such as md5(). When I was learning I found IBM's primer very useful - I'd highly recommend looking at that.

As an aside, I would advise against being able to decrypt a password. The only person who should know their password is a user! This is why we store hashed versions of passwords which we can check against, rather than storing encrypted passwords which can be decrypted..

like image 21
Sam Hogarth Avatar answered Sep 20 '22 12:09

Sam Hogarth

I notice people make huge deals about storing passwords.

Agreed you shouldn't store passwords as plain texts, but if you store the one way hash and get rid of the password, hackers can still using algorithms to hack a hash hashing strings and comparing.

Also, if you encrypt with an algorithm that you can decrypt later, that can also be hacked by figuring out the algorithm of the encryption.

I think as long as no one can see the users' passwords outright and you simply make it difficult for hackers you're good, but people say you shouldn't encrypt because it can be decrypted but that's not fair because anything can be hacked.

like image 37
omar Avatar answered Sep 20 '22 12:09

omar
Sign in to Comment

Related questions

How to avoid UNLINK security risks in PHP?
PHP md5 explained
Why is PHP not interpreted in FF but is interpreted in Chrome on my website?
Rails 3 protect_from_forgery problems
What is the point of using custom exception class in php?
How to know the original country of a website?
ffmpeg-php to create thumbnail of video
Regular expression to remove CSS comments
How to find first/second element of associative array when keys are unknown?
Is it okay to put a lot of PHP includes on a site?
php classes extend
php find string
Can I get the current page URL from a PHP script envoked via AJAX?
problem with conditional switch
How to convert an array to a html table
How to send an email with attachment in wordpress?
How to make Video conference application in HTML 5? [closed]
Are there OAuth 2 server side PHP or Java implementations? [closed]
Using Zend_Auth to secure all controllers
What encoding does ZipArchive use to store file names inside the created archive?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!