10 replies to this topic

[thatguyandrew1992]

Hey all,
What's the best/safest way right now to encrypt a password to store into a MySQL database?

[primexx]

bcrypt

[Quigley Guy]

Why are you encrypting passwords? Does it need to be reversible?
If you are storing the users login details try salting and hashing your passwords instead - SHA1

[thatguyandrew1992]

More details would help I guess haha. It is an Admin username and password stored in a database. The admin has to enter the username and password when logging into the control panel. I want to save that password as securely as possible. I'm completely new to this and there are many options online, and I need some guidance.

Quigley Guy, on 04 February 2013 - 02:06, said:

Why are you encrypting passwords? Does it need to be reversible?
If you are storing the users login details try salting and hashing your passwords instead - SHA1

i will look into this! Thank you!

[The_Decryptor]

SHA1 is "weaker" than newer hash methods, and it's even better to use something like HMAC-SHA256 or bcrypt (as mentioned before)

[thatguyandrew1992]

Could someone post a good tutorial? It's confusing trying to pin down the information that i need. There are seriously so many options, and old posts. Im really don't know what is the newest and safest thing to use!

[thatguyandrew1992]

I see BLOWFISH and SHA512 listed. Some searches are saying that both a good. Should I use BLOWFISH?

[The_Decryptor]

I'd use a pre-built solution that's been tested, the good ones will use something secure (HMAC-SHA256, bcrypt, etc.) and you won't have to worry about doing something wrong and accidentally opening a flaw into your system.

[threetonesun]

Use crypt().

if (CRYPT_BLOWFISH == 1) {
   crypt($password, $salt);
}

It's one way (as it should be), so you'll need to store the salt somewhere, preferably generating a random one for each user than saving it in the database with the user's record. Then when the user logs in with a username and password, you can lookup the user by username, then:

if ($stored_password === crypt($entered_password, $stored_salt))
{
  user_login();
}

Note that in the documentation for crypt() they show how to check for various encryption methods if blowfish isn't available.

[tim_s]

thatguyandrew1992, on 04 February 2013 - 00:36, said:

Hey all,
What's the best/safest way right now to encrypt a password to store into a MySQL database?

Depends on what you are encrypting!

My strategy for saving PII (Personal Identifiable Information) or PAN (Private Account Number) would be much different than just a Username / Password combination where the user cannot be identified.

[AnthonySterling]

Take a look at PHP-PasswordLib and it's worth noting that this feature has been accepted into PHP 5.5.