Sign in to follow this  

Latest/Greatest way to ecrypt with PHP

Recommended Posts

DrJohnSmitherson    131

Hey all,

What's the best/safest way right now to encrypt a password to store into a MySQL database?

Share this post


Link to post
Share on other sites
primexx    372

bcrypt

  • Like 2

Share this post


Link to post
Share on other sites
Quigley Guy    29

Why are you encrypting passwords? Does it need to be reversible?

If you are storing the users login details try salting and hashing your passwords instead - SHA1

  • Like 1

Share this post


Link to post
Share on other sites
DrJohnSmitherson    131

More details would help I guess haha. It is an Admin username and password stored in a database. The admin has to enter the username and password when logging into the control panel. I want to save that password as securely as possible. I'm completely new to this and there are many options online, and I need some guidance.

Why are you encrypting passwords? Does it need to be reversible?

If you are storing the users login details try salting and hashing your passwords instead - SHA1

i will look into this! Thank you!

Share this post


Link to post
Share on other sites
The_Decryptor    1,105

SHA1 is "weaker" than newer hash methods, and it's even better to use something like HMAC-SHA256 or bcrypt (as mentioned before)

Share this post


Link to post
Share on other sites
DrJohnSmitherson    131

Could someone post a good tutorial? It's confusing trying to pin down the information that i need. There are seriously so many options, and old posts. Im really don't know what is the newest and safest thing to use!

Share this post


Link to post
Share on other sites
DrJohnSmitherson    131

I see BLOWFISH and SHA512 listed. Some searches are saying that both a good. Should I use BLOWFISH?

Share this post


Link to post
Share on other sites
The_Decryptor    1,105

I'd use a pre-built solution that's been tested, the good ones will use something secure (HMAC-SHA256, bcrypt, etc.) and you won't have to worry about doing something wrong and accidentally opening a flaw into your system.

Share this post


Link to post
Share on other sites
threetonesun    1,205

Use crypt().


if (CRYPT_BLOWFISH == 1) {
crypt($password, $salt);
}
[/CODE]

It's one way (as it should be), so you'll need to store the salt somewhere, preferably generating a random one for each user than saving it in the database with the user's record. Then when the user logs in with a username and password, you can lookup the user by username, then:

[CODE]
if ($stored_password === crypt($entered_password, $stored_salt))
{
user_login();
}

[/CODE]

Note that in the documentation for crypt() they show how to check for various encryption methods if blowfish isn't available.

  • Like 2

Share this post


Link to post
Share on other sites
tim_s    42

Hey all,

What's the best/safest way right now to encrypt a password to store into a MySQL database?

Depends on what you are encrypting!

My strategy for saving PII (Personal Identifiable Information) or PAN (Private Account Number) would be much different than just a Username / Password combination where the user cannot be identified.

Share this post


Link to post
Share on other sites
AnthonySterling    11

Take a look at PHP-PasswordLib and it's worth noting that this feature has been accepted into PHP 5.5.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.