Password Encryption

[ledeanio]

Hiya all,

I swear I'm obsessed with passwords and encryption. The question I have is, is there anything stronger and better than MD5 password encryption. The reason I ask is that some people frown on MD5 (some fussy clients) and was wondering if I could use anything else within PHP.

Ta in advance,

[unplugged]

Well the first thing to remeber is that MD5 is NOT an encryption method is simply a hashing tool.

If you take 1 byte or 1GB and run it though MD5 you will get 32Byte string. The clincher is that it is possible for the 1 byte string and the 1GB file to have the SAME hash.

Although it is unlikly as there are billions of combinations.

MD5 is usually acceptable for storing password hashes and comparing user entry to see if they have provided the correct password however another one you may try is SHA1
http:// uk2.php.net/sha1

[Sayonara]

If you are storing passwords in a MySQL database, the solution with the best simplicity/strength tradeoff is to use the built-in AES_ENCRYPT() function.

Refer to the manual, it is quite simple!

You can also use this to encrypt data used in your PHP scripts, in the same way that you can use MySQL to perform mathematical operations.

[brouwer]

A tip for encrypting passwords: use the username as a seed, i.e. append the username to the password before encrypting; If you do, it's even more difficult that someone can guess/get a password, because now, the encrypted value depends not only on the password, but also on the username!

[ThePants999]

The idea of "salting" a password with something user-specific is actually a bit more involved than that. The idea is that, if users A and B had the same password and someone was able to get hold of the hashed passwords, if they knew A's password then they'd spot that B had the same hash and hence probably the same password. Salting the password with something unique to that user prevents this problem.

[paul]

SHA-1 seems slower than MD5, but it get in larger message that make it more resistant to brute force attacks. You may also consider to Java code that implements one-way hash algorithm, for more detail on this type of pattern google search for "java singleton pattern".

[sanderson]

Quote:

Originally Posted by ledeanio

... was wondering if I could use anything else within PHP.

Yes Ledeanio, surely you can use crypt() available within PHP. Have you ever tried it. It works same as md5(), One-way string encryption (hashing). The only difference is that md5() support md5 algorithm only while crypt() supports DES, Blowfish and MD5 (it depends on which system PHP is built on).

[brouwer]

Quote:

Originally Posted by sanderson

Yes Ledeanio, surely you can use crypt() available within PHP. Have you ever tried it. It works same as md5(), One-way string encryption (hashing). The only difference is that md5() support md5 algorithm only while crypt() supports DES, Blowfish and MD5 (it depends on which system PHP is built on).

Don't use a single DES, it's easy to crack such an encryption.