Using md5() or crypt(), is that make a big difference ?! No...

absynthe

md5($mypassword) generate a hash of my password, a 32-character hexadecimal number.
md5() isn't really encryption in it's traditional sense, but a one way process to validate data.

crypt($mypassword, $salt) encrypts my password using the apropriate encryption algorithm based on my salt size.
(if my salt has 2 characters, Standard DES is used, if my salt has 12 characters, MD5 encryption is used...)
Is crypt() supposed to be better practise to crypt data like passwords to store it in my database ?!
Using crypt(), salt is always given in my crypted password as the first characters of the string.
(for example, if I used Standard DES algorithm, salt would be the 2 first characters of my crypted password).
If we suppose some hackers has acces to my database and has "skills and right tools" to find out my password, it won't make a "really big" difference using either md5() or crypt() as
he 's got salt from first characters of my crypted password string if I used crypt(),
and from that, he could easly guess which crypt algorithm I used for crypt() to hack my password.
Am I right ?!
I can generate random salt but it won't help much to secure my password,
it is just good practise for database handling so one user will never has same crypted password than another, even if their passwords are the sames.
I understand that using SSL is the way to go if you want to have a more secure transaction process, but it wasn't here the purpose of my interest, I was
just trying to understand which method from md5() and crypt() is best for storing password securely in my database.
I could use some tricks too like using crypt($mypassword, $salt) and then make a smart algorithm to hide salt.
I'm not a PHP, MySQL and security expert, so please your comment are welcome !!

altexis

well.... you are not in the right direction at all

md5() and crypt() is producing a one way hash
if you want to encode/decode you have to use the functions under the Mcrypt function group in www.php.net

don't be confused that crypt() uses DES like mechanisms to create hashes, they are still hashes, not encryption function.

I'll try to give you a simple example:

Encryption/Decryption algorithms (eg. DES, TwoFish, Rijndael etc):
original text = "this is my text" > encryption produces: 23AB340BD3498F3 > decryption produces: "this is my text"

Hashes (eg. md5, md4, tiger, RipeMD, SHA):
original text = "this is my text" > hash produces: 23AB340BD3498F3
(there is no turning back!!)

People use md5 to store passwords not data. The idea is that someone enters a password and the server instead of the original password stores the md5 hash of the password. So if ANYone attempts to steal passwords s/he will fail because all s/he will find is hashed passwords. Only the user knows the original password which if it is hashed it will produce what the server has stored.

So read about the functions in the Mcrypt function group and amongst the various encryption block methods you will find, I would suggest you to use the simple CBC mode ( mcrypt_cbc() ). I would also recommend you not to choose DES. Choose Rijndael, Twofish, Blowfish or 3DES at worst.