> Hi guys I have developed an intranet web interface with user access. I am > storing the passwords into a mysql table as raw text (I know not so secure). > So I am adding group access features and I am thinking to encrypt the > passwords because this seems to grow as a project although it started as a > simple web tool. > > So what do you think is the best way to use crypt, mcrypt, hash or perhaps > md5 and what are really the differences because I am not sure if I get it > right. Encryption is reversible, hashing is not. So hashing is probably the best bet as an evil hacker will never be able to reverse them. The process using hashes is: 1. Get the clear text password 2. Hash it 3. Store the hash and throw away the clear text version Now when it comes to verifying a login the process is: 1. Get what the user has provided 2. Hash it (using the same as what you did when you first got the password) 3. Compare it to what you already have. If they match, then the result is good, if not, then not. Store the hashed version in the database, it's not reversible. You should still be careful with it though (ie don't go around disclosing it to Mr. Joe Hacker). BTW md5() is a form of hashing. -- Richard Heyes HTML5 Graphing for IE7, FF, Chrome, Opera and Safari: http://www.phpguru.org/RGraph -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php