On Thu, Aug 4, 2011 at 10:31 AM, Donovan Brooke <lists@xxxxxxx> wrote: > Alex Nikitin wrote: > [snip] > > Also you shouldn't actually encrypt passwords, the proper way to store >> them >> is hashed, so that if someone grabs your database, they dont have your >> passwords, even if they have the "key". >> > > > Hello, since this thread is about "studying mcrypt"... > > In another language, for a "top security with the ability to retrieve data > situation", I use a method that stores an encrypted key, but then also, the > entire "pages" are encrypted as well, with a separate utility, where I only > know the key. Think of it as compiling your software, only it is not > compiling, it's encrypting, and it's then > able to run as if it were compiled. > > The end result is that the key to any encrypted sensitive info does not > reside on the server, it resides with me on my local system... thus the > passwords are safely encrypted, yet I can retrieve them manually. > > I don't know that PHP has the ability to run in compiled or encrypted > form.. does it? If not, I guess a 1 way, non-key encryption would be the > only way to be absolutely secure with saved data in PHP (such as a hash). > > Donovan > > > > -- > D Brooke > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > You can have multiple ways to encrypt data and store it pretty securely. For example i had a system that would encrypt passwords for other services and store them in the database along with an iv, the key was hard coded into the application and salt came from the user and was never stored, this way even if someone got my database and code which would be a feat not for the faint of heart, they still wont be able to get the data decrypted... What makes your local system any less vulnerable of a point than your server, of anything, its more vulnerable and failure-prone, so unless i'm not getting something, that seems like a poor design decision (i'm sorry) There is code obfuscation with PHP, and you can compile it into C++ with HipHop for php for example... -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray