Hello! I use MySQL database and PHP language. There are login.php, login.html, signup.php, signup.html... I would like to encrypt the passwords. What shall I do? Could I use Assimetric Key to encryption? This is the login.php: And this is signup.php:
I would strongly recommend to use either md5 or/and sha1. Encrypt the password with one of these 2 functions before inserting them to the table in your signup.php. When logging in, make sure to hash the submitted password when comparing to the one in the table.
what you want to do, is first generate each user a unique salt... , and then store the salt in the database for each user (unique salts, make hackers unable to use rainbow tables to find passwords), and the salt the password and then use a function such as sha1() or md5() take a read of http://php.net/manual/en/function.md5.php for more information and examples
Use your custom function, because hackers would always try md5() decryption randomly. In your custom function you can use md5() as a base of the encryption logic. A simple example is as follows function encrypt_pass($username, $password){ $encrypted_string = md5(md5($username) . md5($password) . md5($username . $password)); return $encrypted_string; } PHP: See this function, it can be easily used during registration. Again during login, you can easily validate the raw password, by converting the combination of username and password to the encrypted password. One of the most important limits of password encryption during registration is, you can't use a random string or time() dependent strings to encrypt the password. Because, you can't regenerate the encrypted password from the raw one in future (during login).
Hi The Webby I googled a bit on what you're saying. I found 1/2 resources (some comments of users) on some pages where similar views were written. None of them clearly explained why. If you can please explain why it's not a good idea to use md5() multiple time, it would be gr8. Anyway, I agree that using md5() twice (md5 of md5) doesn't increase the complexity of the actual encryption. My code will stop crackers to recognize some known md5() patterns and thus the underlying common passwords like - abc123 or 123456 etc.
I can not explain here in detail why, because that would be a very lengthy geek talk. So in short, If you hash a hash, it greatly increases the chance of collision. Lets say, for any specific Hashing algorithm you have 1 in a nth chance of collision, rehashing increases the chance by 2 so you have 1 in a n/2 chance. Makes sense? Why so colliding? Well, A hash string consist of only hex-decimal character, so when you rehash the string you are effectively rehashing 16 (1-0, a-f) base string (88 bit), as oppose to 76 characters (1-0, a-z, A-Z, + 14 special chars) (560 bit, less bytes to hash = greater chance of collision, that's how it works). Another thing, no matter how many times you hash it, an attacker will use brute force/dictionary attack, so he is gonna feed you the raw password+username, so no matter you hash it 10 times or thousand time, you will only achieve slowing down the whole login system. Also note in this regard that in encryption (and hashing) bit value is more important than the actual length of a key. an 8 character long but 560 bit key is more secure than 8 character long 88 bit key. Lastly, to ensure increased security, you might consider using a unique salt for each user, and use it when hashing the password. unique salt makes it almost (with an emphasis on almost) impossible for anyone to launch a successful brute force or dictionary attack. So instead of $encrypted_string = md5(md5($username) . md5($password) . md5($username . $password)); PHP: You are better off with $encrypted_string = md5($password.$username.$unique_salt); PHP:
Thnaks mate, I also suggest that if you want to learn more about PHP security, there are two very useful books * Pro PHP Security 2nd edition by Chris Snyder and others (2010) * Essential PHP Security By Chris Shiflett (2005) Both books are very good and go into details on PHP security. Additional read: Cryptography For Dummies by Chey Cobb (2004)
You could consider using LoginWall. free easy to installation anti brute force solution. www.loginwall.com