md5 is also a one-way encryption. crypt also provides 300*10^21 possible
values, whereas md5 provides a possible 63*10^48, or
63000000000000000000000000000 * 10^21 possible values. A little bit better
security I'd say. Crypt is fine, md5 is better (a lot better by the
numbers).
The salt doesn't matter -- it is part of the password.
The first iteration, the salt is 8m. The next one is v9. The first two
chars are the salt used, so the salt really doesn't make things more
secure. If you are storing the crypt value, you have to first select the
value from your DB, get the first two chars (8m for this example) and do
crypt($form['password'], "8m")
in order to get 8m7UxPXfRw7/2 from crypt.
With md5 you just say "md5($form['password'])" and send it to your select
statement and see what happens.
To answer your question, md5 is easier and more secure; however, your
system is only as secure as your password, and if your password is
"password" (one of the most popular passwords in the world) md5 nor crypt
nor the best encryption will help you.
Peter
On Tue, 24 Jun 2003, Hutchins, Richard wrote:
> I already admitted that this stuff was mostly over my head. However, I
> started messing around with it a bit and would like to know if the crypt()
> function would help Jerry out?
>
> I tried md5('password') twice in a row and it did return:
> 5f4dcc3b5aa765d61d8327deb882cf99
> 5f4dcc3b5aa765d61d8327deb882cf99
>
> Then I tried crypt('password') in a 10-step loop and got this:
> 8m7UxPXfRw7/2
> v9iuCQikPaf7w
> MwV8vcCiqrRbM
> lpf02L./2VtiU
> KRkddkPGedm2.
> LDMEpQwJgY.Mo
> 2HW51zTN93I9Y
> hyONnFjRN/9bM
> W9NKVzVgJ9kLM
> nNany7wy2drdQ
>
>
> The code for all of the above if anybody is interested:
>
> <?php
> echo md5('password')."</br>";
>
> echo md5('password')."</br></br>";
>
> echo "CRYPT with password</br>";
> for($i=0;$i<10;$i++){
> echo crypt('password')."</br>";
> }
> }
> ?>
>
> PHP.NET states that there is no decrypt function since crypt() is a one-way
> encryption. And given that, by default, it uses a random salt generated by
> PHP, why is this not as secure as an MD5 encrypted password? Of course, all
> of this is based on the supposition that the database is properly secured.
>
> I am, by no means, arguing with any of the advice already offered regarding
> the MD5 question. However, If what you're looking for is a different
> encryption result for the same password, crypt() seems to do it.
>
> Can somebody explain if this is less secure or less-preferable than MD5?
> Even if one were able to decipher the algorithm PHP uses for a crypt()
> operation, the salt is supposedly random so having the encryption algorithm
> would not be all that useful.
>
> Am I totally missing something here?
>
> Rich
>
> > -----Original Message-----
> > From: Matt Schroebel [mailto:MSchroebel@hsus.org]
> > Sent: Tuesday, June 24, 2003 9:52 AM
> > To: JeRRy
> > Cc: php-db@lists.php.net
> > Subject: RE: md5 question!
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: JeRRy [mailto:jusa_98@yahoo.com]
> > > Sent: Tuesday, June 24, 2003 9:50 AM
> > > To: bbonkosk@tampabay.rr.com; php-db@lists.php.net
> > > Subject: Re: md5 question!
> > >
> >
> > > So with md5 I can
> > > retrieve the passwords back to the user if they lose
> > > them via email.
> >
> > No, you can't. You'll need to generate a new password, md5
> > it, store it
> > & mark it expired, timestamp it so it's only valid for, say,
> > 30 minutes,
> > email it, and finally, force the person to choose a new password when
> > they sign in.
> >
> >
> > --
> > PHP Database Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
---------------------------------------------------------------------------
Peter Beckman Internet Guy
beckman@purplecow.com http://www.purplecow.com/
---------------------------------------------------------------------------
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
