4
\$\begingroup\$

I am wanting to encrypt a password and decrypt a password using PHP. Is this a safe method?

$pass = "password"
//encrypt password
$salt = strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.');
$salt = sprintf("2ドルa$%02d$", 10) . $salt;
$hash = crypt($pass, $salt);
//decryption in second program
if(crypt($pass, $hash) == $hash){
 echo "you are in";
}
Jamal
35.2k13 gold badges134 silver badges238 bronze badges
asked Mar 27, 2015 at 9:51
\$\endgroup\$
2
  • 1
    \$\begingroup\$ You should NEVER encrypt passwords. Hash them. \$\endgroup\$ Commented Mar 27, 2015 at 16:05
  • \$\begingroup\$ 1. Don't use a fast hash; it's important to use a slow hash function. 2. security.stackexchange.com/q/211/971 covers the considerations pretty well. \$\endgroup\$ Commented Mar 27, 2015 at 18:03

2 Answers 2

6
\$\begingroup\$

As KIKO Software and the documentation for crypt said, password_hash() is encouraged. It's safer (it applies multiple rounds of hashing, thus increasing the time it takes to decrypt the hash), and it will manage salts for you, which means that your code will be simpler.

If for some reason you do not want to use password_hash, note the warning from the crypt documentation:

Warning When validating passwords, a string comparison function that isn't vulnerable to timing attacks should be used

You are not doing that, you are just using ==. hash_equals would be one such timing safe function.

answered Mar 27, 2015 at 12:01
\$\endgroup\$
1
  • \$\begingroup\$ Good point about timing attacks. \$\endgroup\$ Commented Mar 27, 2015 at 12:32
6
\$\begingroup\$

The name of the function crypt() is somewhat misleading, but you're not encrypting and decrypting. You create a hash and you check it, that's it.

It's not the best I have seen, but it is not uncommon to do it this way.

In the PHP crypt() documentation it says: Use of password_hash() is encouraged. You didn't see that? It allows you to choose an algorihtm. The PASSWORD_BCRYPT algorithm should be used. See: http://codahale.com/how-to-safely-store-a-password

I also see that you're not really using a salt in the traditional manner. Here's a nice introduction: http://www.martinstoeckli.ch/hash/en/index.php

So you're not using a salt on a per-password basis. See: http://blog.codinghorror.com/youre-probably-storing-passwords-incorrectly

There's much to say about this topic. Password security is a hot topic.

One of the mistakes most programmers make is that they rely on the user to select a password. In general users are just plain bad at choosing a secure password. You can try and force them to choose one, which is probably secure, but by doing that you will only annoy the hell out of the user. The solution is quite simple: You choose the password for the user. For a site where security is not that paramount you can use simple password. A random five digit number, in combination with a email address and brute force protection, is already reasonable secure; there are a million different possible combinations. Most developers however stick to what they know.

answered Mar 27, 2015 at 10:44
\$\endgroup\$

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.