While entering the password i need to encrypt the password and i want to submit in the database so that whenever iam seeing the password it wants should be in the encrypted manner reply
Depending on the database you're using you could use the built in encryption. So if you're using MySQL maybe use this UPDATE users SET password=md5('thepassword') WHERE user='theuser'; Code (markup): http://dev.mysql.com/doc/refman/5.0/en/encryption-functions.html
I would recommend using PHP md5() function (possibly even use it twice on the same password / include a salt). Reason is MySQL is a bit more clunky on resources than PHP. In the end the difference is negligible though .
I would recommend md5() in php. It's really easy to use. You could use two encryption algorithm in a row for better encryption. Just don't forget to make a "Password reinitialization form" or something like this because you'll never be able to get back the password!
You can also use base64_encode and base64_decode functions. Some think that encoding only one way the password in the database is irrelevant. If someone hacks your system and sees the passwords it would not matter if you have md5 or sha1 encoded passwords, he would have access to all data anyway. Also by using base64_encode you could easily get back the password when the user forgets it.I don't think this is bad practice. A lot of big sites keep the password in a way it can easily be retrieved not reset. Yahoo comes in my mind first.
Yeah.... So my database gets hacked I have 5,000 users all with a username, password and email along with other information. It becomes quite obvious all the passwords are base64_encoded. So what does the guy do he now has all 5000 passwors for the users. He has their emails so now he can check other services and steal those accounts as well. Sure you can eventually get the passwords to accounts in sha1 or md5 but it sure isn't going to be that feasible to be doing it for every single account in the database in any reasonable amount of time. Yahoo is a unique situation and just because they do it that way does not mean you should be. You are at a much higher risk of having your database stolen or if you have software you're giving to others then even more reason to use a one way system. The chances of someone getting into yahoo's file system is very slim. Even so I imagine they have built their own two way system which obviously the person would not get a hold of very easily.
Inflow you are making 2 assumptions here 1) Your hacker was able to get in the system. And if that happens he can't know how the passwords are coded. If he was able to get and corupt your system, finding other people's passwords would be you least worry. You can get in all kind of trouble worse than that. 2) If that user has the same password on all internet accounts it's his risk he is taking. BTW I don't support this practice, as I said "Some think..." I was only trying to give the discussion another angle.
A hacker gets into your system and see's values like this bXlwYXNzd29yZA== Tells us clearly it is not sha1 or md5 so hmm what could it be. Also if you are indeed compromised they could very well view your source if you did not encode it. So then you end up with the guy seeing hey yeah they base64_encode everything what dimwhits. I mean if you are going to base64 encode the passwords and it's least of your worries why not just store it as plain text. I think the fact you leak say 10,000 user passwords and their emails is a big worry. You don't want visitors to trust your site again? That's a sure fire way to do it
Never put at risk your users private information _including_ their passwords. Not only you will lose their trust and sympathy but this is sometimes a matter of liability as well. So go for md5 or sha1 encryption Good luck!
Yep, that's actually better in hashing, but it's a little bit less supported. This is more than a fine: $password_to_be_inserted = md5($password); PHP: And you do not need to escape it. EDIT: And for all those who do not know, MD5, SHA1, SHA256, ETC are ALL hashing methods - not encryption methods!