Encrypting/Decrypting Passwords to and from a MySQ

2020-07-10 10:17发布

I'm starting to create a user system for my website, and what I want to do is to have the passwords encrypted, rather than plaintext. I'm using PHP/MySQL, so I figured crypt() is a good place to start. However, I'm brand new to cryptography like this, and I'm having trouble understanding exactly how it works. Does anybody know how to implement, at the simplest level, a way for passwords to be stored as an encrypted string, but always be able to be decrypted, without a security issue?

7条回答
三岁会撩人
2楼-- · 2020-07-10 10:52

I notice people make huge deals about storing passwords.

Agreed you shouldn't store passwords as plain texts, but if you store the one way hash and get rid of the password, hackers can still using algorithms to hack a hash hashing strings and comparing.

Also, if you encrypt with an algorithm that you can decrypt later, that can also be hacked by figuring out the algorithm of the encryption.

I think as long as no one can see the users' passwords outright and you simply make it difficult for hackers you're good, but people say you shouldn't encrypt because it can be decrypted but that's not fair because anything can be hacked.

查看更多
forever°为你锁心
3楼-- · 2020-07-10 10:57

You can use md5 or better hashing technique like sha1 See password hashing http://phpsec.org/articles/2005/password-hashing.html for more details.

查看更多
迷人小祖宗
4楼-- · 2020-07-10 11:00

Passwords should be hashed, not encrypted. That is, you should not be able to decrpyt the password. Instead, you should compare hashes.

  1. User sets password $password = 'hX4)1z'
  2. You get hash of password and store to DB:

#

$pw = hash_hmac('sha512', 'salt' . $password, $_SERVER['site_key']);
mysql_query('INSERT INTO passwords (pw) VALUES ('$pw');
  1. Customer comes back later. They put in their password, and you compare it:

#

mysql_query('SELECT pw FROM passwords WHERE user_id = ?');
//$pw = fetch

if ($pw == hash_hmac('sha512', 'salt' . $_REQUEST['password'], $_SERVER['site_key']) {

   echo "Logged in";

}
查看更多
欢心
6楼-- · 2020-07-10 11:11

I suggest using SHA2 with a salt to store your password.

To create a SHA2 hash, use this:

$hash = hash("sha512", $password.$salt);

A salt contains some extra characters to add to your password before hasing to prevent rainbow tables (databases of passwords and it's hashes). You can create one using a unique user info (like a user_id) or just create a random one and store it somewhere. Just make sure the salt is long enough.

Don't make use of MD5 anymore; it's old. See http://en.wikipedia.org/wiki/MD5#Collision_vulnerabilities for more info.

EDIT: These are one-way hashing algoritms. You can and should not be able to decrypt a password. If you can, then there is no point in using a hash to store passwords.

查看更多
够拽才男人
7楼-- · 2020-07-10 11:11

No, there is always going to be a security issue with regards to where you store the encryption password. This is why websites never store the hash of the password and not the password itself. When someone registers at your website and they enter the password, you store the hash (MD5 or SHA1 or whatever, as mentioned above) of the password. When they log in later you again hash the password they entered (by the same method used when storing it) and compare. If the hashes are the same then the passwords are the same (with a very high probability!) Any website that lets you recover your password is an insecure website.

查看更多
登录 后发表回答