Passwords and PHP

Anon

What is the best method to encrypt passwords?

Scenario: Login via a form, compare with database, successful login!

Many Thanks

tupawk

You would have to use a secure server to encrypt the form data being sent. You could also use sessions to manage the login.

Anon

OK Sorry for Non SSL sites, should I use

MD5 or Crypt or both or what?

[deleted]

If you can't use SSL you can't encrypt the password befiore you send it to the server, so you're stuck with plaintext for sending the password.

Depending in how secure your database is, you can use just about every encryption you like.
Just remember that some encryption methods are one-way,
so if you store only the encrypted password, you can get the password back out to send to the user when he/she forgot the password for example.

jc94062

alternativly if they forget it update the password to a radomly generated password, mail them this and get them to change it.

Anon

why not use same salt while crypt()'ing for encryption and decryption. that way we can get the password back the way it was.

or am i not on the line??

jc94062

True you can, but if you want to use something like md5, which is probably the easiest, then its only one way.

Anon

First:
You don't ned SSL to encrypt or use encrypted passwords on your database. (BTW the encryption used by Secure Servers are NOT under your control anyway).
Second:
Your PHP should be installed with the modules needed to use MD5 or crypt(). If you have both, you can use whichever you want. I do prefer crypt() because I can use a text "seed" to generate the encription that, but maybe there's nothing special about it.

To use encrypted passwords you should:
1.When register a new user, encrypt the user password and store it that way in the database.
2.In your login form, define it's action to a login evaluation page. In that page:
3.Encrypt the password that the visitor just wrote using the same encrypt method you used in the registering process.
4.Get the password that is stored in your database for that user.
4.Compare the two strings, if they match, let him/her in. If not... well, you know what to do hehehe
5.Put a sleep() of 1 second or so before get back to the input form in case psswords do not match. This little delay is almost not noticeable for a human being, but in case someone try to use a brute force progy to get access to your restricted area, this 1 second delay could make this wannabe hacker process take days or even weeks.

Be aware that this method is far different from use a SSL connection, and that despite the encryption process, in a normal server all comunication between your users and the server is in plain text.