Re: Adding encryption to passwords

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



>   Hi guys I have developed an intranet web interface with user access. I am
> storing the passwords into a mysql table as raw text (I know not so secure).
> So I am adding group access features and I am thinking to encrypt the
> passwords because this seems to grow as a project although it started as a
> simple web tool.
>
> So  what do you think is  the best way to use crypt, mcrypt, hash or perhaps
> md5 and what are really the differences because I am not sure if I get it
> right.

Encryption is reversible, hashing is not. So hashing is probably the
best bet as an evil hacker will never be able to reverse them. The
process using hashes is:

1. Get the clear text password
2. Hash it
3. Store the hash and throw away the clear text version

Now when it comes to verifying a login the process is:

1. Get what the user has provided
2. Hash it (using the same as what you did when you first got the password)
3. Compare it to what you already have.

If they match, then the result is good, if not, then not. Store the
hashed version in the database, it's not reversible. You should still
be careful with it though (ie don't go around disclosing it to Mr. Joe
Hacker). BTW md5() is a form of hashing.

-- 
Richard Heyes

HTML5 Graphing for IE7, FF, Chrome, Opera and Safari:
http://www.phpguru.org/RGraph

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux