quick encrytion question

phence

i'm new to encrypting passwords and storing them into databases and retrieving them for a user who has forgotten his/her password.

Could some one breifly explain to me the differnt types of encrytion, how safe they are?

See, my problem is i am encrypting a password with the md5() fucntion. I don't really understand it, but i use it cause it's in a tutorial i was working with. Now, i saw in post before that it is impossible to decrypt a md5 password? is that true?
if it is how would i email the password back to the user if it can't be decrypted? i'm thinking about generating a random password for the user and reseting it, then e-mailing that to them.

i dunno i'm just completly ignorant of password encryption

Thank-you

epp_b

Yes, I believe MD5 is a one-way encryption algorithm (it can't be reversed).

I think mcrypt functions might have something you are looking for.

phence

hey thanks alot!
if anyone cares enough to explain how one-way encrytion works?
My ears are open. Just in lamenz terms...

dalecosp

OK, you put in a plaintext file or string, and it is transformed by an encryption algorithm into a ciphered text file or string, which seemingly has no relation to the original...simple? 🙂 If that satisfies you, don't read any more...

That'd be one way encryption. In PHP, you generally want to store things like passwords so that they can't be read. If "mypword" becomes "ekcj4.3fuddkel.vj3" via crypt() or md5(), it's not likely someone can authenticate even if they access your server's files directly, because when they type "ekcj4.3fuddkel.vj3" into your password field, it'll be wrong (it would be changed into something else by your password-checking function, because, in checking a user's password against one stored on the server, you usually encrypt the submitted password and compare it to the stored password, and if they match, set permissions accordingly).

Of course, you are talking about md5(), which is actually a hash function, and that's another issue. It's a less robust but faster method of ciphering the plaintext, but it generates a robust 'digest' using a public key encryption algorithm when used on things like email mesages. I think in PHP they just use the fast encryption, and so md5() is not considered to be as good as something like mcrypt(), which is 'reversible'. If your server has the mycrypt library, you're set up with some pretty strong stuff....

ejrhodes

It should also be noted that your password is not encrypted in any format over the wire unless you are using SSL. Hashing or using mcrypt will only make it so that someone who attacks your user store can not steal passwords that would otherwise be stored in plain text.

jpmoriarty

mathematically speaking, a one way functions is often called a "trap-door" function, and it means an operation which is very easy to do one way, but incredibly complicated (though not impossible to do the other way).

The most obvious example is telephone numbers - if i say to you "what is Mr Jones of 12 vicrotia street, london"'s teleophone number, you could go and get a phone book and look it up. (please note this is just an example!) It wounldnt be hard at all. However, if I gave you a phone number and asked who it belonged to , it wouldnt be impossible for you to look it up, but it might as well be since it would take you so long to look through all the numbers.

However, if I had a "reverse" phone book that was listed the other way around, then that would be my trap door - i would know something extra (ie having the book) that would let me break into the code very simply: ie that would be my trap door.

I cant comment on the php functions, but thought a mathematical viewpoint might help, or even just be of interest!