1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Password Encryption in PHP/MySQL

Discussion in 'PHP' started by sznczy, Jun 4, 2011.

  1. #1
    Hello!

    I use MySQL database and PHP language. There are login.php, login.html, signup.php, signup.html...

    I would like to encrypt the passwords. What shall I do? :confused:

    Could I use Assimetric Key to encryption?

    This is the login.php:

    And this is signup.php:

     
    sznczy, Jun 4, 2011 IP
  2. Sky AK47

    Sky AK47 Member

    Messages:
    298
    Likes Received:
    8
    Best Answers:
    1
    Trophy Points:
    45
    #2
    I would strongly recommend to use either md5 or/and sha1.
    Encrypt the password with one of these 2 functions before inserting them to the table in your signup.php.
    When logging in, make sure to hash the submitted password when comparing to the one in the table.
     
    Sky AK47, Jun 4, 2011 IP
  3. amazon

    amazon Peon

    Messages:
    7
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #3
    I use md5, too.
    I think it's best one.
     
    amazon, Jun 5, 2011 IP
  4. Grit.

    Grit. Well-Known Member

    Messages:
    1,424
    Likes Received:
    22
    Best Answers:
    1
    Trophy Points:
    110
    #4
    what you want to do, is first generate each user a unique salt... , and then store the salt in the database for each user (unique salts, make hackers unable to use rainbow tables to find passwords), and the salt the password and then use a function such as sha1() or md5()

    take a read of http://php.net/manual/en/function.md5.php for more information and examples
     
    Last edited: Jun 5, 2011
    Grit., Jun 5, 2011 IP
  5. daxguy

    daxguy Peon

    Messages:
    32
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #5
    use the md5 function or sha1 function which works all good nd its really easy as well
     
    daxguy, Jun 8, 2011 IP
  6. techbongo

    techbongo Active Member

    Messages:
    309
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    80
    #6
    Use your custom function, because hackers would always try md5() decryption randomly.
    In your custom function you can use md5() as a base of the encryption logic. A simple example is as follows

    
    function encrypt_pass($username, $password){
        $encrypted_string = md5(md5($username) . md5($password) . md5($username . $password));
        return $encrypted_string;
    }
    
    PHP:
    See this function, it can be easily used during registration. Again during login, you can easily validate the raw password, by converting the combination of username and password to the encrypted password. One of the most important limits of password encryption during registration is, you can't use a random string or time() dependent strings to encrypt the password. Because, you can't regenerate the encrypted password from the raw one in future (during login).
     
    techbongo, Jun 9, 2011 IP
  7. RootShell

    RootShell Well-Known Member

    Messages:
    855
    Likes Received:
    18
    Best Answers:
    0
    Trophy Points:
    130
    Digital Goods:
    1
    #7
    I use MD5 in passwords encryption.
    Don't forget to ask users to enter a strong password ;)
     
    RootShell, Jun 9, 2011 IP
  8. The Webby

    The Webby Peon

    Messages:
    1,852
    Likes Received:
    30
    Best Answers:
    1
    Trophy Points:
    0
    #8
    Hashing a hash is never a good idea, it does not increase security, it weakens it.
     
    The Webby, Jun 12, 2011 IP
  9. techbongo

    techbongo Active Member

    Messages:
    309
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    80
    #9
    Hi The Webby
    I googled a bit on what you're saying. I found 1/2 resources (some comments of users) on some pages where similar views were written. None of them clearly explained why. If you can please explain why it's not a good idea to use md5() multiple time, it would be gr8.

    Anyway, I agree that using md5() twice (md5 of md5) doesn't increase the complexity of the actual encryption. My code will stop crackers to recognize some known md5() patterns and thus the underlying common passwords like - abc123 or 123456 etc.
     
    techbongo, Jun 12, 2011 IP
  10. The Webby

    The Webby Peon

    Messages:
    1,852
    Likes Received:
    30
    Best Answers:
    1
    Trophy Points:
    0
    #10
    I can not explain here in detail why, because that would be a very lengthy geek talk. So in short, If you hash a hash, it greatly increases the chance of collision.
    Lets say, for any specific Hashing algorithm you have 1 in a nth chance of collision, rehashing increases the chance by 2 so you have 1 in a n/2 chance. Makes sense?

    Why so colliding? :D Well, A hash string consist of only hex-decimal character, so when you rehash the string you are effectively rehashing 16 (1-0, a-f) base string (88 bit), as oppose to 76 characters (1-0, a-z, A-Z, + 14 special chars) (560 bit, less bytes to hash = greater chance of collision, that's how it works).

    Another thing, no matter how many times you hash it, an attacker will use brute force/dictionary attack, so he is gonna feed you the raw password+username, so no matter you hash it 10 times or thousand time, you will only achieve slowing down the whole login system. Also note in this regard that in encryption (and hashing) bit value is more important than the actual length of a key. an 8 character long but 560 bit key is more secure than 8 character long 88 bit key.

    Lastly, to ensure increased security, you might consider using a unique salt for each user, and use it when hashing the password. unique salt makes it almost (with an emphasis on almost) impossible for anyone to launch a successful brute force or dictionary attack.

    So instead of
    $encrypted_string = md5(md5($username) . md5($password) . md5($username . $password));
    PHP:
    You are better off with
    $encrypted_string = md5($password.$username.$unique_salt);
    PHP:
     
    Last edited: Jun 12, 2011
    The Webby, Jun 12, 2011 IP
    techbongo likes this.
  11. techbongo

    techbongo Active Member

    Messages:
    309
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    80
    #11
    Reps added and thread bookmarked!!
     
    techbongo, Jun 12, 2011 IP
  12. The Webby

    The Webby Peon

    Messages:
    1,852
    Likes Received:
    30
    Best Answers:
    1
    Trophy Points:
    0
    #12
    Thnaks mate, I also suggest that if you want to learn more about PHP security, there are two very useful books

    * Pro PHP Security 2nd edition by Chris Snyder and others (2010)
    * Essential PHP Security By Chris Shiflett (2005)

    Both books are very good and go into details on PHP security.

    Additional read:
    Cryptography For Dummies by Chey Cobb (2004)
     
    The Webby, Jun 12, 2011 IP
  13. Antibruteforce

    Antibruteforce Peon

    Messages:
    2
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #13
    You could consider using LoginWall.

    free easy to installation anti brute force solution.

    www.loginwall.com
     
    Antibruteforce, Jul 3, 2011 IP
  14. dsoft

    dsoft Greenhorn

    Messages:
    32
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    18
    #14
    thanks Antibruteforce i will try your solution.
     
    dsoft, Jul 8, 2011 IP