Encrypting passwords.

MBK

All,
I have a user subscribe form connected to a mysql database, I need to find a way of encrypting the user password and then also being able to decrypt it.
I am currently using MD5, but I am having huge difficulties decrypting it - I don't believe it to be possible.

Does anyone have any ideas how I can get round this problem pls? 😕

Bunkermaster

straight from manual :

<?php
$password = crypt("My1sTpassword"); # let salt be generated

# You should pass the entire results of crypt() as the salt for comparing a
# password, to avoid problems when different hashing algorithms are used. (As
# it says above, standard DES-based password hashing uses a 2-character salt,
# but MD5-based hashing uses 12.)
if (crypt($user_input,$password) == $password) {
   echo "Password verified!";
}
?>

works a charm

MBK

I think I understand what u are saying,

How would I use this for the following?

I have a mysql database where I need to store the password (pref encrypted), and also a script that will decrypt the password and present it to the user if they have forgot it.

Pls Help, thanks for quick response.!

Bunkermaster

store the crypted string (be careful about size of it in D😎 and then when the user tries to log on compare string to salted crypted string as in example...

MBK

Sorry to be thick, just I need to get this right...

Based on what script you posted, I would store the $password variable in database - which would be encrypted.

The $user_input would then be the users attempted login password.

So how would I go about decrypting the password from it's encrypted state in the database to it's original form so it can be displayed on the screen?

Once again, sorry for being thick!

yelvington

The unix crypt() function is non-reversible by design. Conventionally you do NOT retrieve stored passwords for display; instead you encrypt the input and compare it with the stored encrypted version to see if it is valid.

MySQL provides a series of its own functions (in sql, not in php) that can perform various forms of encryption. Most are one-way; AES_ENCRYPT and AES_DECRYPT support encryption and subsequent decryption.

http://www.mysql.com/doc/en/Miscellaneous_functions.html

Bunkermaster

no apologies needed read new comments :

Originally posted by Bunkermaster

<?php
$password = crypt("My1sTpassword"); # let salt be generated
// you store this in DB ^
# You should pass the entire results of crypt() as the salt for comparing a
# password, to avoid problems when different hashing algorithms are used. (As
# it says above, standard DES-based password hashing uses a 2-character salt,
# but MD5-based hashing uses 12.)
// when the user is logging you get the encrypted pasword from 
//DB and you pass it as salt in the crypt function bellow using the 
//user input password as string then you compare with the DB 
//stored password. The thing is that ou never decrypt it you just 
//encrypt it with the right salt to see if it generates the same 
//encrypted string
if (crypt($user_input,$password) == $password) {
   echo "Password verified!";
}
?>

[/B]

MBK

OK, thanks.

How then would I be able to implement the following.

I have a form that lets users create their own username and password.

I then need to store them in a db, which I can do OK.

There is also a function that allows users to request their username and password if they have lost them.

I need to encrypt the password as a security measure, but how then can I decrypt it so I can email it back to the user who has requested it?

Hope this makes sense.

Thanks.

Bunkermaster

do what most people do, send a new password...

generate a random one, send it to your user, encrypt it to the DB and ask your user to change it.

MBK

Good idea, so thick at times, sorry.

How do I generate a random password?

Bunkermaster

http://www.linuxguruz.org/z.php?id=305

MBK

I have used the code reccomended at the link above and it works great - thanks a lot.

I now need to insert the new password into database.

I have

 insert into table (column) values ('newpass') where email = 'users email';

Where am I going wrong, as this isn't workin!!

Help pls.

Bunkermaster

try update instead of insert and you might be able to do something (ho and there should not be a newpass field you may want to use the regular password field)