Home > Archive > PHP DB > November 2004 > [PHP-DB] Password encryption
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
[PHP-DB] Password encryption
|
|
| Mignon Hunter 2004-03-19, 12:54 pm |
| Can anyone recommend, or does anyone have handy, a script that will =
encrypt passwords AND then also be able to retrieve the encrypted =
password. =20
Checking out the docs and some books has  me mostly.
Thx
| |
| Doug Thompson 2004-03-19, 12:54 pm |
| On Thu, 04 Mar 2004 12:46:51 -0600, Mignon Hunter wrote:
>Can anyone recommend, or does anyone have handy, a script that will encrypt passwords AND then also be able to retrieve the encrypted password.
>
>Checking out the docs and some books has me mostly.
>
>Thx
>
Yes and no.
$pw = md5("password"); works well.
However, you cannot decrypt.
You store $pw (above) in the database and when a user wants to log in, you encrypt their entry and compare it to the value -- also encrypted -- stored in the db. If there is a match, they get in; but you have no knowledge of their password(s). Neither d
oes anyone else who hacks in.
hth,
Doug
| |
| Doug Thompson 2004-03-19, 12:54 pm |
| It is a string function that returns a 32-character md5 hash of "password." MD5 is the name for a current RSA Message Digest Algorithm encryption method.
A search in the manual for md5 gets you to the little bit of information in the manual plus a link to RFC 1321 which likely provides more information than you want.
Doug
On Thu, 4 Mar 2004 15:35:52 -0500, Kevin wrote:
>Hi Doug and All,
>
>I am real new to PHP and wanted to know if you can explain the
>[md5("password");] code? Is this a set function?
>
>Thanks,
>Kevin
>
>----- Original Message -----
>
>encrypt passwords AND then also be able to retrieve the encrypted password.
>encrypt their entry and compare it to the value -- also encrypted -- stored
>in the db. If there is a match, they get in; but you have no knowledge of
>their password(s). Neither does anyone else who hacks in.
>
| |
| Trevor Gryffyn 2004-11-18, 3:56 pm |
| You can use PHP to handle the auth headers and all:
http://www.php.net/manual/en/features.http-auth.php
That might give you more flexibility than trying to dynamically set it
on the .htpassword and such.
There are a couple of ways to encrypt something. You can do it in a way
that can be decrypted and checked against what the user entered. Or
you can do a one-way encryption that uses the same method every time, so
someone enteres "dog" and it encrypts into "sdlkfj".. If you do a
one-way encryption, there's no feasible way to turn "sdlkfj" back into
"dog" but if the user enters "dog" again, and you encrypt it the same
way, it'll always come out as "sdlkfj" which will match the one-way
encrypted string that you stored.
If you want to be cheesy, you can also use something like an MD5 has on
"dog" and get whatever it gets.... Then every time someone enters "dog"
it always ends up with the same MD5 hash.
The chance of two different strings having the same MD5 hash is very
very unlikely.
Anyway, some stuff to think about. Good luck!
-TG
> -----Original Message-----
> From: Han [mailto:han@fonedream.com]=20
> Sent: Thursday, November 18, 2004 11:29 AM
> To: Bastien Koert; peter@westergaard.ca; php-db@lists.php.net
> Subject: [PHP-DB] password encryption
>=20
>=20
> Hello,
>=20
> I'm having a real problem and wondering if anyone can help.
>=20
> I need to set up htaccess ans htpasswd files to authenticate=20
> users on my=20
> system.
> I need to do it with PHP, but can't find a way of encrypting=20
> the password so=20
> it works.
>=20
> I've used an online encrypter for testing the system, and=20
> I've got the=20
> .htaccess and .htpasswd files correct, but I need to programmatically=20
> encrypt the password in my script then write it to the 2 files.
>=20
> Han.
>=20
> --=20
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>=20
>=20
| |
| peter@westergaard.ca 2004-11-18, 3:56 pm |
| Quoting "Gryffyn, Trevor" <TGryffyn@air-cargo-inc.com>:
> If you want to be cheesy, you can also use something like an MD5 has on
> "dog" and get whatever it gets.... Then every time someone enters "dog"
> it always ends up with the same MD5 hash.
How is using MD5 cheesy? I've implemented exactly that solution a number of
times. Admittedly, only for a very small site, mainly as the 'site content
update' password.
-P
ps. and on another note, why am I in the list of direct addressees here?
| |
| Trevor Gryffyn 2004-11-18, 3:56 pm |
| Hah.. Because I figured it wouldn't be an accepted solution by "real
security" people. :) I've used it too. Also used the md5_file()
function to create a duplicate file scanner for my home PC.
The only problem with using MD5 or another one-way solution on a general
site that doesn't require super-security is that when people forget
their password, you have to do a "Click this to reset your password",
have it reset to something random, then have them change it when they
log in. There's no "Send me my password" ability, which I find kind of
useful on general sites that make you log in (free registration and
such).
As for why you're in the direct mail.. I don't know. I just did "Reply
all" to the original question and you must have been in it. :)
Just enjoy the love and stop complaining. Hah.
-TG
> -----Original Message-----
> From: peter@westergaard.ca [mailto:peter@westergaard.ca]=20
> Sent: Thursday, November 18, 2004 12:15 PM
> To: php-db@lists.php.net
> Subject: RE: [PHP-DB] password encryption
>=20
>=20
> Quoting "Gryffyn, Trevor" <TGryffyn@air-cargo-inc.com>:
>=20
> an MD5 has on
> enters "dog"
>=20
> How is using MD5 cheesy? I've implemented exactly that=20
> solution a number of times. Admittedly, only for a very
> small site, mainly as the 'site content update' password.
>=20
> -P
>=20
> ps. and on another note, why am I in the list of direct=20
> addressees here?
| |
| Php_user 2004-11-19, 8:56 am |
| Han,
You can try installing mcrypt, it gives you encryption/decryption
capabilities in PHP. It's fairly easy to install in you're running a
Windows system; I think you have to recompile php if your on a Linux
system, and I have never been able to successfully do that. You might
look into it though, I don't quite understand why it can't be included
with the default PHP installation, or be made easier to install.
http://us2.php.net/mcrypt
-JD
Han wrote:
> Hello,
>
> I'm having a real problem and wondering if anyone can help.
>
> I need to set up htaccess ans htpasswd files to authenticate users on
> my system.
> I need to do it with PHP, but can't find a way of encrypting the
> password so it works.
>
> I've used an online encrypter for testing the system, and I've got the
> .htaccess and .htpasswd files correct, but I need to programmatically
> encrypt the password in my script then write it to the 2 files.
>
> Han.
>
| |
|
| Thanks to evryone for their help.
Haven't done it yet as I'm working on someone else's server and they won't
do certain things.
I've got all the info I was lacking now, so I'm sure I can work something
out.
Han.
----- Original Message -----
From: "php_user" <php@degenova.net>
To: "Han" <han@fonedream.com>; <php-db@lists.php.net>
Sent: Friday, November 19, 2004 12:21 PM
Subject: Re: [PHP-DB] password encryption
> Han,
>
> You can try installing mcrypt, it gives you encryption/decryption
> capabilities in PHP. It's fairly easy to install in you're running a
> Windows system; I think you have to recompile php if your on a Linux
> system, and I have never been able to successfully do that. You might
> look into it though, I don't quite understand why it can't be included
> with the default PHP installation, or be made easier to install.
>
> http://us2.php.net/mcrypt
>
> -JD
>
> Han wrote:
>
>
>
| |
| Bastien Koert 2004-11-20, 3:55 am |
| You need to understand how the htaccess file and its passwords are created.
using mcrypt will likely lead to problems. htaccess passwords are encrypted
with DES algorithm
[quote http://www.edevcafe.com/viewdoc.php?eid=97]
If you wanted to write a CGI script to help you add/delete users from the
..htpasswd file, then you need to know something about the format of this
file. Each line of the .htpasswd file contains one username/password
combination that looks something like this:
Username:w8G2g305KxNd2
Note that the first 2 characters of the encrypted password represent the
SALT used by the 2-char DES encryption algorithm that produced the encrypted
string you see above. The command “crypt(‘password’, ‘w8’)” in PHP4 will
produce “w8G2g305KxNd2”. Since DES encryption is a one-way encryption
algorithm, this provides us with a way to encrypt the suspect password so it
can be compared to the known password.
[/quote]
There is no need to use decrypt since that is not how the htaccess
authorization works (unless you write a custom page to check the values (and
since you can encrypt before checking) decrypt is not used)
hth
bastien
>From: php_user <php@degenova.net>
>To: Han <han@fonedream.com>, php-db@lists.php.net
>Subject: Re: [PHP-DB] password encryption
>Date: Fri, 19 Nov 2004 07:21:53 -0500
>
>Han,
>
>You can try installing mcrypt, it gives you encryption/decryption
>capabilities in PHP. It's fairly easy to install in you're running a
>Windows system; I think you have to recompile php if your on a Linux
>system, and I have never been able to successfully do that. You might look
>into it though, I don't quite understand why it can't be included with the
>default PHP installation, or be made easier to install.
>
>http://us2.php.net/mcrypt
>
>-JD
>
>Han wrote:
>
>
>--
>PHP Database Mailing List (http://www.php.net/)
>To unsubscribe, visit: http://www.php.net/unsub.php
>
|
|
|
|
|