Best way to use PHP to encrypt and decrypt passwords

Question

Possible Duplicate    PHP 2-way encryption  I need to store passwords that can be retrieved       I plan to store foreign account information for my users on my website  aka rapidshare username and passwords  etc    I want to keep information secure  but I know that if I hash their information  I can t retrieve it for later use    Base64 is decrypt-able so there s no point using that just plain off  My idea is to scramble the user and pass before and after it gets base64ed that way even after you decrypt it  you get some funny looking text if you try to decrypt  Is there a php function that accepts values that will make an unique scramble of a string and de-scramble it later when the value is reinputed   Any suggestions

User · Accepted Answer

You should not encrypt passwords  instead you should hash them using an algorithm like bcrypt  This answer explains how to properly implement password hashing in PHP  Still  here is how you would encrypt decrypt    key    password to  en de crypt    string     string to be encrypted       note the spaces   To Encrypt    iv   mcrypt create iv      mcrypt get iv size MCRYPT RIJNDAEL 128  MCRYPT MODE CBC       MCRYPT DEV URANDOM      encrypted   base64 encode       iv       mcrypt encrypt          MCRYPT RIJNDAEL 128          hash  sha256    key  true            string          MCRYPT MODE CBC           iv            To Decrypt    data   base64 decode  encrypted    iv   substr  data  0  mcrypt get iv size MCRYPT RIJNDAEL 128  MCRYPT MODE CBC      decrypted   rtrim      mcrypt decrypt          MCRYPT RIJNDAEL 128          hash  sha256    key  true           substr  data  mcrypt get iv size MCRYPT RIJNDAEL 128  MCRYPT MODE CBC            MCRYPT MODE CBC           iv              0         Warning  The above example encrypts information  but it does not authenticate the ciphertext to prevent tampering  You should not rely on unauthenticated encryption for security  especially since the code as provided is vulnerable to padding oracle attacks   See also    https   stackoverflow com a 30189841 2224584 https   stackoverflow com a 30166085 2224584 https   stackoverflow com a 30159120 2224584   Also  don t just use a  password  for an encryption key  Encryption keys are random strings     Demo at 3v4l org   echo  Encrypted       n   var dump  encrypted       m1DSXVlAKJnLm7k3WrVd51omGL 05JJrPluBonO9W 9ohkNuw8rWdJW6NeLNc688    echo   n    echo  Decrypted       n   var dump  decrypted        string to be encrypted

User · Answer

This will only give you marginal protection  If the attacker can run arbitrary code in your application they can get at the passwords in exactly the same way your application can  You could still get some protection from some SQL injection attacks and misplaced db backups if you store a secret key in a file and use that to encrypt on the way to the db and decrypt on the way out  But you should use bindparams to completely avoid the issue of SQL injection   If decide to encrypt  you should use some high level crypto library for this  or you will get it wrong  You ll have to get the key-setup  message padding and integrity checks correct  or all your encryption effort is of little use  GPGME is a good choice for one example  Mcrypt is too low level and you will probably get it wrong

User · Answer

Security Warning  This class is not secure  It s using Rijndael256-ECB  which is not semantically secure  Just because  it works  doesn t mean  it s secure   Also  it strips tailing spaces afterwards due to not using proper padding    Found this class recently  it works like a dream   class Encryption       var  skey    yourSecretKey      you can change it      public  function safe b64encode  string             data   base64 encode  string            data   str replace array              array  -           data           return  data             public function safe b64decode  string             data   str replace array  -       array           string            mod4   strlen  data    4          if   mod4                 data    substr          mod4                     return base64 decode  data              public  function encode  value            if   value  return false            text    value           iv size   mcrypt get iv size MCRYPT RIJNDAEL 256  MCRYPT MODE ECB            iv   mcrypt create iv  iv size  MCRYPT RAND            crypttext   mcrypt encrypt MCRYPT RIJNDAEL 256   this- gt skey   text  MCRYPT MODE ECB   iv           return trim  this- gt safe b64encode  crypttext                public function decode  value           if   value  return false            crypttext    this- gt safe b64decode  value             iv size   mcrypt get iv size MCRYPT RIJNDAEL 256  MCRYPT MODE ECB            iv   mcrypt create iv  iv size  MCRYPT RAND            decrypttext   mcrypt decrypt MCRYPT RIJNDAEL 256   this- gt skey   crypttext  MCRYPT MODE ECB   iv           return trim  decrypttext             And to call it    str    My secret String     converter   new Encryption   encoded    converter- gt encode  str     decoded    converter- gt decode  encoded        echo   encoded lt p gt  decoded

User · Answer

One thing you should be very aware of when dealing with encryption   Trying to be clever and inventing your own thing usually will leave you with something insecure    You d probably be best off using one of the cryptography extensions that come with PHP

User · Answer

Securiy Warning  This code is insecure  In addition to being vulnerable to chosen-ciphertext attacks  its reliance on unserialize   makes it vulnerable to PHP Object Injection    To handle a string   array I use these two functions   function encryptStringArray   stringArray   key    Your secret salt thingie       s   strtr base64 encode mcrypt encrypt MCRYPT RIJNDAEL 256  md5  key   serialize  stringArray   MCRYPT MODE CBC  md5 md5  key              -       return  s     function decryptStringArray   stringArray   key    Your secret salt thingie       s   unserialize rtrim mcrypt decrypt MCRYPT RIJNDAEL 256  md5  key   base64 decode strtr  stringArray   -              MCRYPT MODE CBC  md5 md5  key       0      return  s      It s flexible as in you can store send via URL a string or array because the string array is serialzed before encryption

User · Answer

Security warning  This code is not secure    working example  define  SALT    whateveryouwant      function encrypt  text          return trim base64 encode mcrypt encrypt MCRYPT RIJNDAEL 256  SALT   text  MCRYPT MODE ECB  mcrypt create iv mcrypt get iv size MCRYPT RIJNDAEL 256  MCRYPT MODE ECB   MCRYPT RAND           function decrypt  text          return trim mcrypt decrypt MCRYPT RIJNDAEL 256  SALT  base64 decode  text   MCRYPT MODE ECB  mcrypt create iv mcrypt get iv size MCRYPT RIJNDAEL 256  MCRYPT MODE ECB   MCRYPT RAND           encryptedmessage   encrypt  your message     echo decrypt  encryptedmessage

User · Answer

Check out mycrypt    http   us php net manual en book mcrypt php  And if you re using postgres there s pgcrypto for database level encryption   makes it easier to search and sort

User · Answer

The best idea to encrypt decrypt your data in the database even if you have access to the code is to use 2 different passes a private password  user-pass  for each user and a private code for all users  system-pass    Scenario   user-pass is stored with md5 in the database and is being used to validate each user to login to the system  This user-pass is different for each user  Each user entry in the database has in md5 a system-pass for the encryption decryption of the data  This system-pass is the same for each user  Any time a user is being removed from the system all data that are encrypted under the old system-pass have to be encrypted again under a new system-pass to avoid security issues

[php] Best way to use PHP to encrypt and decrypt passwords?

Examples related to php

Examples related to mcrypt

Examples related to encryption

Examples related to scramble