How to encrypt user info with php
Posted by Stefan on June 16th, 2008 at 02:22pm
If you run a serious webpage where you save login information for your members to a database it is generally a very good idea to perform some kind of encryption on these password to prevent the information to be shared in case your datebase would be hacked.
Encryption is very easy to do with PHP in fact all you need to perform a “one way encryption” is the function crypt(). As an example say that we have the variables $user and $password and we want to encrypt the $password variable before we store it in the database. To do this we use the following function:
$crypted_pass = crypt(md5($password),md5($user));
What this does is that it generates an encrypted string from the md5 encoded $password with the $user string as security salt and voila we have an encrypted string ready to be saved to the database. This string can not be decrypted so if we want to use it to verify if someone typed in a correct password for a specific user we need to encode the input in the same way and compare it to the encrypted password.
$try_password = crypt(md5($password),md5($user));
if($crypted_pass == $try_password)
echo "success";
else
echo "wrong password";
Now with the passwords encrypted we will buy enough time to be able to change everyones user info in case of the database being hacked and the information leaked.
Under PHP
10 Comments for How to encrypt user info with php
1. webdesign brno | July 1st, 2008 at 8:36 pm
well i want my password to be protected !
2. Brandon | July 2nd, 2008 at 6:39 pm
Good tutorial, but it’s generally not a good idea security wise to tell the user that thier username/password is wrong. If an attacker is brute forcing, when you just say ‘wrong password’ he’ll know he has a valid account. It’s always best to have your error messages and error pages be 100% the exact same no matter what.
3. christoph | July 2nd, 2008 at 8:47 pm
Correct me if I am wrong, but you will never be able to login when you once change the username, as the password is an encrypted combination of username and pwd.
/C
4. Stefan | July 2nd, 2008 at 8:50 pm
Brandon: Thanks and you are right. The error message is really only for testing and for a real site you should probably do as you suggest.
Christoph: True, most sites don’t have a reason to change the username though. But if you would want to be able to change the username at will you should not use the username as SALT for the encryption.
5. Scott | July 4th, 2008 at 5:33 am
Or you just reset their password when they change their username too. Odds are your script is going to update username and password at the same time anyways.
Also, any reason why you chose crypt and md5 together? Just curious
6. Mark | July 4th, 2008 at 6:47 am
For added security you should add salt anyways. :)
7. Weekend Link Roundup: Wee&hellip | July 4th, 2008 at 6:50 am
[...] How to encrypt user info with php - Something I didn’t think about when I wrote my article about hashing stored passworrds was adding the username of the hash. This along with salt creates a stronger hash. SHARETHIS.addEntry({ title: “Weekend Link Roundup: Week 13″, url: “http://www.marksanborn.net/links/weekend-link-roundup-week-13/” }); What next? [...]
8. Weekend Link Roundup: Wee&hellip | July 5th, 2008 at 4:02 pm
[...] How to encrypt user info with php - Something I didn’t think about when I wrote my article about hashing stored passworrds was adding the username of the hash. This along with salt creates a stronger hash. [...]
9. vishlal parmar | July 22nd, 2008 at 9:59 am
a good tutorial for the novice learner like me
10. Vahur | July 29th, 2008 at 9:32 pm
Salt is a good idea, but i also would not use username for it.
Leave a Comment for How to encrypt user info with php
Trackback this post | Subscribe to the comments via RSS Feed