Geek Answers Handbook

Encrypt password before saving to database?

I have a password that is transferred from my iPhone application to the database via php script, user.php.

The $ pass variable is populated as follows:

$pass = str_replace("'", "", $_REQUEST['pass']);

How can I encrypt this before it is inserted into my database? I read a little about different methods, but was looking for a better way to handle this.

Thanks to everyone.

+6
php mysql password-protection
source share
7 answers

If you do not need to get the actual password value (from the encrypted database value), you can run a one-way hash algorithm on it (for example, sha1: http://php.net/manual/en/function.sha1.php ). This function will return a specific string length (hash), which cannot be used to find the original string (theoretically). It is possible that two different lines can create the same hash (called collision), but this should not be a password problem.
Example: $pass = sha1($_REQUEST['pass']);

One thing to make it safer is to add salt to the hash and run the hash function again. This makes it difficult to create a password hash with malicious intent, as the salt value is processed only on the server side.
Example: $pass = sha1(sha1($_REQUEST['pass']).sha1(" mySalt@ $#(%"));

+6
source share

Use php crypt library. Md5 is not a cipher; it is hashed.

In addition, salts your passwords. Why?

  • This answer
  • Another good answer
+7
source share

You must first create a random user salt. Then you must store this and the password hash in the database.

 $salt = md5(unique_id().mt_rand().microtime()); $pass = sha1($salt.$_REQUEST['pass']);

and save $ salt and $ pass in the database. Then, when they log in, you look at their line and check the hash:

 $user = query('SELECT * FROM `user` WHERE username = ?', array($_REQUEST['username'])); if($user) { // If the password they give maches if($user->pass === sha1($user->salt. $_REQUEST['pass'])) { // login } else { // bad password } } else { // user not found }

Creating custom salt for each account ensures that rainbow tables are useless, and anyone who breaks down on your server would have to go overboard with every password.

+2
source share

Most basic: Hash it using MD5 or SHA1

 $newpass = md5($_REQUEST['pass']);

or

 $newpass = sha1($_REQUEST['pass']);

I recently started storing a hash name, so login attempts are safe, using only hashed data for comparison.

You can "salt" the hashes with additional data, so if they are compromised, this value cannot be found (try translating some simple hashed words) .. i.e. use the entire site line to change the standard hash, for example md5("mySiteSalt!!" . $_REQUEST['pass']); or something more advanced.

+1
source share

Use crypt with some salt. For example,

 $user = strip_tags(substr($_REQUEST['user'],0,32)); $plain_pw = strip_tags(substr($_REQUEST['pass'],0,32)); $password = crypt(md5($plain_pw),md5($user));

as on http://www.ibm.com/developerworks/opensource/library/os-php-encrypt/

+1
source share

You must use SHA1 to hash your passwords for storage in the database. This is the easiest but most efficient way to store passwords:

 $password = sha1($password);

It is also extremely safe. Although its integrity is starting to creep, it's pretty easy to upgrade this feature to SHA-256 (which is incredibly safe).

0
source share

To find out why md5, sha1 and their speedy friends might not be a good idea, you should read the message Enough with Rainbow Tables: What You Need to Get familiar with Thomas Ptachek's secure password schemes . The bottom line:

Finally, we learned that if we want to store passwords safely, we have three reasonable options: the PHK MD5 scheme, the Pro-Mazier Bcrypt scheme, and SRP. We learned that the right choice is Bcrypt.

Note: this is PHK, not php.

0
source share

More articles:


All Articles