I plan on using Kohana's encryption class but is there a better and more secure way of doing a two-way processing? I want my users to be able to send requests for their previous passwords, not give them a reset one.
Any algorithms or libraries you can suggest? prticularly in PHP?
I wouldn't do two-way encryption. That's basically no encryption at all since you'll need access to the encryption key within the code so all your passwords are effectively compromised.
You should use one-way has functions like SHA1 or MD5 (SHA1 is better). When the user attempts to login, encrypt the password they used and compare it to what you've got stored.
Two-way encryption is not the way to go, because whoever holds the key to your server will basically have access to all passwords. That means if you have a disgruntled employee or admin, they could walk off with all of your user account data. Also, how are you going to secure the secret key you'll need? How will you secure the communication between the site and the user while you're giving the user the password. My advice is to not go there.
To Encrypt:
base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, md5($key), $string, MCRYPT_MODE_CBC, md5(md5($key))));
To Decrypt:
rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, md5($key), base64_decode($string), MCRYPT_MODE_CBC, md5(md5($key))), "\0");
Still, it's preferably to hash your passwords (with salt!) and give your users a reset link, this way you'll be safe even from yourself / your eventual mistakes.
I would model it after everyone's favorite development community site.
But in all seriousness, hosting the password on your backend such that it can be retrieved and displayed to the end user opens up some security issues:
I would suggest a one-way hash (google for the best algorithm - SHA-1 was good a few years back but people are always making progress in cracking encryption algorithms). You just apply the hash to the password provided by the end user and compare it to the hashed password you have stored - if the resulting strings match you have successful authentication.
If you want to instead use a proven public key or symmetric key algorithm at least take an effort to never send the password over the network in plain text.
