Hi guys I have developed an intranet web interface with user access. I am
storing the passwords into a mysql table as raw text (I know not so secure).
So I am adding group access features and I am thinking to encrypt the
passwords because this seems to grow as a project although it started as a
simple web tool.
So what do you think is the best way to use crypt, mcrypt, hash or perhaps
md5 and what are really the differences because I am not sure if I get it
right.
Encryption is reversible, hashing is not. So hashing is probably the
best bet as an evil hacker will never be able to reverse them. The
process using hashes is:
1. Get the clear text password
2. Hash it
3. Store the hash and throw away the clear text version
Now when it comes to verifying a login the process is:
1. Get what the user has provided
2. Hash it (using the same as what you did when you first got the password)
3. Compare it to what you already have.
If they match, then the result is good, if not, then not. Store the
hashed version in the database, it's not reversible. You should still
be careful with it though (ie don't go around disclosing it to Mr. Joe
Hacker). BTW md5() is a form of hashing.
Thanks Richard for clearing this out but I meant hashing on the first
place. I was aware of the process but I was wondering what is the best
way to do it. Can you please give a some sample piece on how you do this.
PS I will be extra careful with the terms cause it really makes a
difference.
--
Thodoris
