How to encrypt user info with php
If you run a serious webpage where you save login information for your members to a database it is generally a very good idea to perform some kind of encryption on these password to prevent the information to be shared in case your datebase would be hacked.
Encryption is very easy to do with PHP in fact all you need to perform a “one way encryption” is the function crypt(). As an example say that we have the variables $user and $password and we want to encrypt the $password variable before we store it in the database. To do this we use the following function:
$crypted_pass = crypt(md5($password),md5($user));
What this does is that it generates an encrypted string from the md5 encoded $password with the $user string as security salt and voila we have an encrypted string ready to be saved to the database. This string can not be decrypted so if we want to use it to verify if someone typed in a correct password for a specific user we need to encode the input in the same way and compare it to the encrypted password.
$try_password = crypt(md5($password),md5($user));
if($crypted_pass == $try_password)
echo "success";
else
echo "wrong password";
Now with the passwords encrypted we will buy enough time to be able to change everyones user info in case of the database being hacked and the information leaked.
well i want my password to be protected !
Good tutorial, but it’s generally not a good idea security wise to tell the user that thier username/password is wrong. If an attacker is brute forcing, when you just say ‘wrong password’ he’ll know he has a valid account. It’s always best to have your error messages and error pages be 100% the exact same no matter what.
Correct me if I am wrong, but you will never be able to login when you once change the username, as the password is an encrypted combination of username and pwd.
/C
Brandon: Thanks and you are right. The error message is really only for testing and for a real site you should probably do as you suggest.
Christoph: True, most sites don’t have a reason to change the username though. But if you would want to be able to change the username at will you should not use the username as SALT for the encryption.
Or you just reset their password when they change their username too. Odds are your script is going to update username and password at the same time anyways.
Also, any reason why you chose crypt and md5 together? Just curious
For added security you should add salt anyways. :)
[...] How to encrypt user info with php – Something I didn’t think about when I wrote my article about hashing stored passworrds was adding the username of the hash. This along with salt creates a stronger hash. SHARETHIS.addEntry({ title: “Weekend Link Roundup: Week 13″, url: “http://www.marksanborn.net/links/weekend-link-roundup-week-13/” }); What next? [...]
[...] How to encrypt user info with php – Something I didn’t think about when I wrote my article about hashing stored passworrds was adding the username of the hash. This along with salt creates a stronger hash. [...]
a good tutorial for the novice learner like me
Salt is a good idea, but i also would not use username for it.
Sorry for my bad English.
Good post. Greetings from Spain.
#3 If you need to change the nick you can regenerate the hash and save it again to database it’s easy!.
Other option is have a string saved in your “settings.php” file and use it for generate the hash.
Nice tutorial, ill give it a go.
Another issue you may want to consider is the effectiveness of MD5 as a hash function.
It’s recently been proven that MD5 can have ‘collisions’ and as such, should not be used to hash sensitive data. It’s a small, but significant security threat.
I recommend using the tried and tested SHA-1 hash which is far, far less likely to have any collisions. It’s been proved mathematically that SHA-1 can have collisions but as yet, no viable way of finding them has been publicly issued.
Great Tut!
when are you guys gonna add more tutorials to this site?
Thanks!
So to use this with the profile tutorial on your website, I would add the above code to the signup and login pages?
How do I add this to a site I created using your member profile tutorial? Can you place give an example? Do I add the code to the sign up and login forms? Where do I put the code?