MD5 / crypt ?

The_Chancer

Just as a thought, which is the better of the two ? Or is there another I should be looking at to encrypt for password storage ?

Producing a random 8 digit alphanumeric string (caps and non too) to encode... but I would also like to decode it at some point.

MD5 I know cannot be reversed as it is only one way, and there is another, but I can't remember it (Friday blues I think...) so any clues ?

Any help appreciated

bobthedog

Hmmm -

Ok - well obviously the most secure password storage is to crypt the password or even MD5 it. The problem being that making it a 2 way process immediately adds a whole new level of insecurity to it meaning that passwords can more easily be retrieved and decrypted from your database.

If you really want to be able to decrypt a password (and I don't really see a reason for it tbh), then you have several options.

1, Do soemthing quick and simple like base64 encode the password. Simple and easy to do, but means that any one just briefly looking at your data won't be able to read the passwords directly without doing a bit more work.

2, Write your own simple hashing script. Something that will jumble the letters up a bit but which is reversible. Although, all someone needs to do here is get hold of your decrypting PHP script and copy that, or just run the function.

3, Use an industry 2 way encyption algorithm. I'm sure there must be PHP libs for Blowfish (or something along those lines) out there already, it will just take a bit of hunting. The only problem here being that you now have to keep your keys secure in order to decrypt the passwords, as soon as someone finds your key, you've lost the security.

Anyhow - hope this helps..

The_Chancer

Well, it seems like you have said what I thought, but was not wanting to own up to... I will just MD5 and be done - as to bringing the password back - they can't !!! I'll just have to reissue another one instead... easy enough to do.

Incidentally, the BLOWFISH etc encryption is available through the mcrypt function - see THIS PAGE for the details..

Cheers for the advice though 🙂

bobthedog

No probs...

tbh - look at most secure system and all password encryption is one way (winnt/2k, *nix etc), so there must be a good reason for it.

Most of my systems work on the basis that passwords are reissued in event of failure... normally I supply a button so it can be sent out via email automagically to the user's registered email address as well (if appropriate).

Anyhow - glad it helped.

runs around celebrating his 100th post on the PHPBuilder forum, YAY!

The_Chancer

Hmmm, now that would be cunning, if only I can work out how to send the mail through the corporate Micro$oft Exchange server... any clues ? (never used the "mail" function before in PHP) - would need a little bit of changing of php.ini would it not ?

🆒 Congrats on your 100th BTW