Jump to content



Photo

Latest/Greatest way to ecrypt with PHP

php mysql encrypt password

  • Please log in to reply
10 replies to this topic

#1 thatguyandrew1992

thatguyandrew1992

    Neowinian Senior

  • Tech Issues Solved: 4
  • Joined: 22-January 09

Posted 04 February 2013 - 00:36

Hey all,
What's the best/safest way right now to encrypt a password to store into a MySQL database?


#2 primexx

primexx

    Neowinian Senior

  • Tech Issues Solved: 6
  • Joined: 24-April 05

Posted 04 February 2013 - 02:01

bcrypt

#3 Quigley Guy

Quigley Guy

    Neowinian Senior

  • Joined: 13-August 02
  • Location: Ireland

Posted 04 February 2013 - 02:06

Why are you encrypting passwords? Does it need to be reversible?
If you are storing the users login details try salting and hashing your passwords instead - SHA1

#4 OP thatguyandrew1992

thatguyandrew1992

    Neowinian Senior

  • Tech Issues Solved: 4
  • Joined: 22-January 09

Posted 04 February 2013 - 03:07

More details would help I guess haha. It is an Admin username and password stored in a database. The admin has to enter the username and password when logging into the control panel. I want to save that password as securely as possible. I'm completely new to this and there are many options online, and I need some guidance.

Why are you encrypting passwords? Does it need to be reversible?
If you are storing the users login details try salting and hashing your passwords instead - SHA1

i will look into this! Thank you!

#5 The_Decryptor

The_Decryptor

    STEAL THE DECLARATION OF INDEPENDENCE

  • Tech Issues Solved: 5
  • Joined: 28-September 02
  • Location: Sol System
  • OS: iSymbian 9.2 SP24.8 Mars Bar

Posted 04 February 2013 - 04:34

SHA1 is "weaker" than newer hash methods, and it's even better to use something like HMAC-SHA256 or bcrypt (as mentioned before)

#6 OP thatguyandrew1992

thatguyandrew1992

    Neowinian Senior

  • Tech Issues Solved: 4
  • Joined: 22-January 09

Posted 06 February 2013 - 04:26

Could someone post a good tutorial? It's confusing trying to pin down the information that i need. There are seriously so many options, and old posts. Im really don't know what is the newest and safest thing to use!

#7 OP thatguyandrew1992

thatguyandrew1992

    Neowinian Senior

  • Tech Issues Solved: 4
  • Joined: 22-January 09

Posted 06 February 2013 - 04:39

I see BLOWFISH and SHA512 listed. Some searches are saying that both a good. Should I use BLOWFISH?

#8 The_Decryptor

The_Decryptor

    STEAL THE DECLARATION OF INDEPENDENCE

  • Tech Issues Solved: 5
  • Joined: 28-September 02
  • Location: Sol System
  • OS: iSymbian 9.2 SP24.8 Mars Bar

Posted 06 February 2013 - 06:12

I'd use a pre-built solution that's been tested, the good ones will use something secure (HMAC-SHA256, bcrypt, etc.) and you won't have to worry about doing something wrong and accidentally opening a flaw into your system.

#9 threetonesun

threetonesun

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 26-February 02

Posted 06 February 2013 - 14:38

Use crypt().

if (CRYPT_BLOWFISH == 1) {
   crypt($password, $salt);
}

It's one way (as it should be), so you'll need to store the salt somewhere, preferably generating a random one for each user than saving it in the database with the user's record. Then when the user logs in with a username and password, you can lookup the user by username, then:

if ($stored_password === crypt($entered_password, $stored_salt))
{
  user_login();
}



Note that in the documentation for crypt() they show how to check for various encryption methods if blowfish isn't available.

#10 tim_s

tim_s

    Default

  • Joined: 07-January 13
  • OS: OSX (Macbook Pro i7), Windows 7 (Gaming), Gentoo
  • Phone: iPhone 5s

Posted 06 February 2013 - 19:43

Hey all,
What's the best/safest way right now to encrypt a password to store into a MySQL database?


Depends on what you are encrypting!

My strategy for saving PII (Personal Identifiable Information) or PAN (Private Account Number) would be much different than just a Username / Password combination where the user cannot be identified.

#11 AnthonySterling

AnthonySterling

    Offering bad advice since 23-December 04.

  • Joined: 23-December 04
  • Location: North-East, UK

Posted 09 February 2013 - 08:37

Take a look at PHP-PasswordLib and it's worth noting that this feature has been accepted into PHP 5.5.