Hi all !

I want to store user passwords in a database, but not like before where they were stored as is (plain text). Since I am webadmin, I really dont need to know their passwords even as I am checking user records in the user table. I want to keep them encoded instead, and have a way to compare them against user typed plain text equivalents. Which functions suit me ?

I tried to play with crypt but i cannot reverse the encrypted string..

    Hi,

    use mcrypt instead in this case. But it might be better to use md5 and to give the users some kind of "forgot password ?" function that creates a temporary password that can be changed by the user.

    Thomas

      You don't have to reverse encrypted password to authenticate user.

      First figure out which encryption you want to use. I use md5, which is not an encryption algorithm but more of Message digest. But pretty secure as far as user authication is needed.

      Add user to database:

      $query = "INSERT INTO user VALUES ('DummyUser',md5('DummyPassword'))";

      And then for matching the password use:

      $password = md5($password);// form vairable, convert it to equivelent of md5 hash

      $query = "SELECT * FROM user WHERE username='”.$username.”' AND password='".$password."'";

      Just to make sure that password is secure against brute force attack, ensure that minimum length for password is 6 and set the field size in db for password to 60.

      OR you can use SSHA algorithm:

      use HashPassword($password) before saving the password in database

      //code to validate
      $sql = "Select * FROM user Where username='"$username"'";
      $result = mysql_query($sql);
      if(!result){
      die("Error executing sql: ".mysql_error();
      }

      $fields = mysql_fetch_assoc($result);

      if(ValidatePassword($password,$fields["password"])){
      //session start
      }else{
      //clear session
      //relogin
      }

      public function HashPassword($password)
      {
      mt_srand((double)microtime()1000000);
      $salt = mhash_keygen_s2k(MHASH_SHA1, $password, substr(pack('h      ', md5(mt_rand())), 0, 8), 4);
      $hash = "{SSHA}".base64_encode(mhash(MHASH_SHA1, $password.$salt).$salt);
      return $hash;
      }

      Source code to validate SSHA passwords...
      //$password = user entered password
      //$hash = password stored in database.
      public function ValidatePassword($password, $hash)
      {
      $hash = base64_decode(substr($hash, 6));
      $original_hash = substr($hash, 0, 20);
      $salt = substr($hash, 20);
      $new_hash = mhash(MHASH_SHA1, $password . $salt);
      if (strcmp($original_hash, $new_hash) == 0)
      return true;
      else
      return false;

      }
      ... be sure to clear your session data .

        md5 is fine with me.

        How can I get the original password string when I already (only) have the md5 version ?

          You can't ... at least not easily 😉

          Don't use md5 if you really want to be able to get the original password back.

          Thomas

            Write a Reply...