Question

Posted

Hey all,
What's the best/safest way right now to encrypt a password to store into a MySQL database?

Share this post


Link to post
Share on other sites

10 answers to this question

  • 0

Posted

bcrypt
2 people like this

Share this post


Link to post
Share on other sites
  • 0

Posted

Why are you encrypting passwords? Does it need to be reversible?
If you are storing the users login details try salting and hashing your passwords instead - SHA1
1 person likes this

Share this post


Link to post
Share on other sites
  • 0

Posted

More details would help I guess haha. It is an Admin username and password stored in a database. The admin has to enter the username and password when logging into the control panel. I want to save that password as securely as possible. I'm completely new to this and there are many options online, and I need some guidance.

[quote name='Quigley Guy' timestamp='1359943605' post='595499762']
Why are you encrypting passwords? Does it need to be reversible?
If you are storing the users login details try salting and hashing your passwords instead - SHA1
[/quote]
i will look into this! Thank you!

Share this post


Link to post
Share on other sites
  • 0

Posted

SHA1 is "weaker" than newer hash methods, and it's even better to use something like HMAC-SHA256 or bcrypt (as mentioned before)

Share this post


Link to post
Share on other sites
  • 0

Posted

Could someone post a good tutorial? It's confusing trying to pin down the information that i need. There are seriously so many options, and old posts. Im really don't know what is the newest and safest thing to use!

Share this post


Link to post
Share on other sites
  • 0

Posted

I see BLOWFISH and SHA512 listed. Some searches are saying that both a good. Should I use BLOWFISH?

Share this post


Link to post
Share on other sites
  • 0

Posted

I'd use a pre-built solution that's been tested, the good ones will use something secure (HMAC-SHA256, bcrypt, etc.) and you won't have to worry about doing something wrong and accidentally opening a flaw into your system.

Share this post


Link to post
Share on other sites
  • 0

Posted

Use [url="http://php.net/manual/en/function.crypt.php"]crypt()[/url].

[CODE]
if (CRYPT_BLOWFISH == 1) {
crypt($password, $salt);
}
[/CODE]

It's one way (as it should be), so you'll need to store the salt somewhere, preferably generating a random one for each user than saving it in the database with the user's record. Then when the user logs in with a username and password, you can lookup the user by username, then:

[CODE]
if ($stored_password === crypt($entered_password, $stored_salt))
{
user_login();
}

[/CODE]


Note that in the documentation for crypt() they show how to check for various encryption methods if blowfish isn't available.
2 people like this

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='thatguyandrew1992' timestamp='1359938176' post='595499566']
Hey all,
What's the best/safest way right now to encrypt a password to store into a MySQL database?
[/quote]

Depends on what you are encrypting!

My strategy for saving PII (Personal Identifiable Information) or PAN (Private Account Number) would be much different than just a Username / Password combination where the user cannot be identified.

Share this post


Link to post
Share on other sites
  • 0

Posted

Take a look at [url="https://github.com/ircmaxell/PHP-PasswordLib"]PHP-PasswordLib[/url] and it's worth noting that [url="https://wiki.php.net/rfc/password_hash"]this feature[/url] has been accepted into PHP 5.5.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.