Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Encrypt and decrypt passwords in php

Posted on 2016-09-22
7
Medium Priority
?
54 Views
Last Modified: 2016-09-22
What is the best way to encrypt a password to store in mysql databese? I mean in both ways ( encryption and decryption)?

I read about md5 is not enough since it's easly be decrypted....

What do you suggest i should do to hash passwords and decrypt it?
0
Comment
Question by:Braveheartli
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 35

Expert Comment

by:ste5an
ID: 41811555
The best way? The best way is not to store passwords. Store a salted hash instead.
1
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 41811564
Hashes like MD5 and SHA are one-way functions.  MD5 takes some serious computing power to break it.  SHA takes more.  Where there is no financial reward for 'breaking' the passwords, MD5 is still used because it is good enough.

This page addresses what PHP provides: http://php.net/manual/en/faq.passwords.php  And more info: http://phpsec.org/articles/2005/password-hashing.html
0
 
LVL 20

Assisted Solution

by:Russ Suter
Russ Suter earned 1332 total points
ID: 41811567
There are 3 ways to handle credential validation: They are (in order of best to worst solution)

1. Store a hashed value using a strong hashing algorithm like SHA-256. When a user provides his/her credentials, hash the input and compare the hashes. If they match then you can authenticate the user. This is the best practice and should be used in 99% of cases.

2. Store the password in an encrypted format. When a user provides credentials, decrypt the stored value and compare it to the plain-text input. Use this only when necessary for some reason. If you have a requirement that passwords are recoverable this is the solution.

3. Store the password in plain-text. Use this method only if you're a complete idiot.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 35

Assisted Solution

by:gr8gonzo
gr8gonzo earned 668 total points
ID: 41811574
MD5 cannot be decrypted. Hashes are one-way functions. MD5 is considered weaker than other hashes, and you have databases out there that try to "decrypt" hashes by simply storing billions of varieties of hashes so you can find a matching one. Salting the hash refers to adding a known prefix like "Braveheartli" to the beginning of every string before it is hashed. That way, even if you do find a matching hash in some database out there, it won't work once the salting takes place because the salting makes the string different.

You should never depend on decrypting passwords. Any kind of decryption is weak. As ste5an said, use a salted hash. You can use salted MD5 or SHA1 or something stronger, but it's generally your best way to go.
0
 
LVL 1

Author Comment

by:Braveheartli
ID: 41811596
Thank you all,
So i should use salted hash and to store passwords, when i check the passwords i actually check the hash version of the password to compare if it is valid or not?

Right?
0
 
LVL 20

Accepted Solution

by:
Russ Suter earned 1332 total points
ID: 41811612
To clarify what you wrote above. You don't store the passwords anywhere. You use a hashing function with the password as your input and store the resulting hashed value. You then hash any user input in the same manner and compare the resulting hashes to determine if there is a match. The only known attack on a hash is brute force. MD5 has been around a long time and is one of the weaker hashing algorithms. SHA-256 is the preferred method these days. Regardless of which hashing algorithm you use it is guaranteed to be more secure than storing encrypted data.
0
 
LVL 1

Author Closing Comment

by:Braveheartli
ID: 41811656
Thank you all
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit (http://en.wikipedia.org/wiki/PHPUnit) and similar technologies have enjoyed wide adoption, making it possib…
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question