PHP RSS PHP RSS

Password encoding/decoding

Reply
1 2

Join Date: Jul 2007
Posts: 23
Reputation: ezb is an unknown quantity at this point 
Solved Threads: 3
ezb ezb is offline Offline
Newbie Poster

Password encoding/decoding

 
0
  #1
Oct 15th, 2007
I am currently building an online system, it has come to the point to think about securing peoples passwords. How ever, for admin reasons I was wondering if it was possible to decode the encoded password, I believe this is not possible with md5 but hoping there is another method?

Any help would be geat, also any other information regarding safety, thanks.
Reply With Quote Quick reply to this message  
Join Date: May 2006
Posts: 1,422
Reputation: stymiee is on a distinguished road 
Solved Threads: 35
Moderator
stymiee's Avatar
stymiee stymiee is offline Offline
He's No Good To Me Dead

Re: Password encoding/decoding

 
0
  #2
Oct 15th, 2007
Here is a good PHP5 class that uses the mcrypt library for two way encryption.

php Syntax (Toggle Plain Text) 
  1. <?php
  2.  
  3. class Encryption
  4. {
  5.     static $cypher = 'blowfish';
  6.     static $mode   = 'cfb';
  7.     static $key    = '1a2s3d4f5g6h';
  8.  
  9.     public function encrypt($plaintext)
  10.     {
  11.         $td = mcrypt_module_open(self::$cypher, '', self::$mode, '');
  12.         $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
  13.         mcrypt_generic_init($td, self::$key, $iv);
  14.         $crypttext = mcrypt_generic($td, $plaintext);
  15.         mcrypt_generic_deinit($td);
  16.         return $iv.$crypttext;
  17.     }
  18.  
  19.     public function decrypt($crypttext)
  20.     {
  21.         $plaintext = "";
  22.         $td        = mcrypt_module_open(self::$cypher, '', self::$mode, '');
  23.         $ivsize    = mcrypt_enc_get_iv_size($td);
  24.         $iv        = substr($crypttext, 0, $ivsize);
  25.         $crypttext = substr($crypttext, $ivsize);
  26.         if ($iv)
  27.         {
  28.             mcrypt_generic_init($td, self::$key, $iv);
  29.             $plaintext = mdecrypt_generic($td, $crypttext);
  30.         }
  31.         return $plaintext;
  32.     }
  33. }
  34.  
  35. // Encrypt text
  36. $encrypted_text = Encryption::encrypt('this text is unencrypted');
  37.  
  38. // Decrypt text
  39. $decrypted_text = Encryption::decrypt($encrypted_text);
  40.  
  41.  
  42. ?>
Last edited by stymiee; Oct 15th, 2007 at 11:48 am.
John Conde
Brainyminds | Merchant Account Services | I Love Code
IT'S HERE: Merchant Accounts 101 Everything you need to know about merchant accounts!
Reply With Quote Quick reply to this message  
Join Date: Jul 2007
Posts: 23
Reputation: ezb is an unknown quantity at this point 
Solved Threads: 3
ezb ezb is offline Offline
Newbie Poster

Re: Password encoding/decoding

 
0
  #3
Oct 15th, 2007
Thanks alot for your help, however, I am using 4.3.9, sorry I should have mentioned this to begin with, the code you gave strictly php5?
Reply With Quote Quick reply to this message  
Join Date: May 2006
Posts: 1,422
Reputation: stymiee is on a distinguished road 
Solved Threads: 35
Moderator
stymiee's Avatar
stymiee stymiee is offline Offline
He's No Good To Me Dead

Re: Password encoding/decoding

 
0
  #4
Oct 16th, 2007
It can be changed to work with PHP 4. You just need to change the PHP 5 features to 4:

php Syntax (Toggle Plain Text) 
  1. <?php
  2.  
  3. class Encryption
  4. {
  5.     var $cypher = 'blowfish';
  6.     var $mode   = 'cfb';
  7.     var $key    = '1a2s3d4f5g6h';
  8.  
  9.     function Encryption()
  10.     {
  11.         // do nothing
  12.     }
  13.  
  14.     function encrypt($plaintext)
  15.     {
  16.         $td = mcrypt_module_open($this->cypher, '', $this->mode, '');
  17.         $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
  18.         mcrypt_generic_init($td, $this->key, $iv);
  19.         $crypttext = mcrypt_generic($td, $plaintext);
  20.         mcrypt_generic_deinit($td);
  21.         return $iv.$crypttext;
  22.     }
  23.  
  24.     function decrypt($crypttext)
  25.     {
  26.         $plaintext = "";
  27.  
  28.         $td        = mcrypt_module_open($this->cypher, '', $this->mode, '');
  29.         $ivsize    = mcrypt_enc_get_iv_size($td);
  30.         $iv        = substr($crypttext, 0, $ivsize);
  31.         $crypttext = substr($crypttext, $ivsize);
  32.         if ($iv)
  33.         {
  34.             mcrypt_generic_init($td, $this->key, $iv);
  35.             $plaintext = mdecrypt_generic($td, $crypttext);
  36.         }
  37.         return $plaintext;
  38.     }
  39. }
  40.  
  41. ?>
John Conde
Brainyminds | Merchant Account Services | I Love Code
IT'S HERE: Merchant Accounts 101 Everything you need to know about merchant accounts!
Reply With Quote Quick reply to this message  
Join Date: Nov 2009
Posts: 1
Reputation: bennyfreshness is an unknown quantity at this point 
Solved Threads: 0
bennyfreshness bennyfreshness is offline Offline
Newbie Poster
 
-1
  #5
Nov 5th, 2009
can this store, say for instance, a PayPal token that I am supposed to keep hidden?
Reply With Quote Quick reply to this message  
Join Date: Oct 2009
Posts: 102
Reputation: jomanlk is an unknown quantity at this point 
Solved Threads: 18
jomanlk jomanlk is offline Offline
Junior Poster
 
0
  #6
Nov 5th, 2009
You can do it at the database level as well if you want.

For INSERT
PHP Syntax (Toggle Plain Text) 
  1. $aes_key = "EF77FHH7-E6G1-31y4-w2D7-G4gH8HWF20H1";
  2. $sql = "INSERT INTO user(username, pass) VALUES ('bob', AES_ENCRYPT('password', '$aes_key' ))";

And for SELECT
PHP Syntax (Toggle Plain Text) 
  1. $aes_key = "EF77FHH7-E6G1-31y4-w2D7-G4gH8HWF20H1";
  2. $sql = "SELECT *, AES_DECRYPT(password, '$aes_key ') AS password FROM  user";

You'll have to keep the AES key as a config value or something. If you lose it you can't decrypt the data

More references here.
Last edited by jomanlk; Nov 5th, 2009 at 4:05 am. Reason: Corrected code error
Reply With Quote Quick reply to this message  
Join Date: May 2007
Posts: 444
Reputation: Atli is on a distinguished road 
Solved Threads: 56
Atli's Avatar
Atli Atli is offline Offline
Posting Pro in Training
 
0
  #7
Nov 5th, 2009
Hey.

Be careful if you do this in a SQL query tho. Some MySQL servers use plain-text query logs, so while your passwords might be encrypted in the database itself, they would be stored in their original form in the logs.

See these two pages in the manual for details on that.
Please do not ask for help in a PM. Use the forums.
And use [code] tags!
Reply With Quote Quick reply to this message  
Join Date: Oct 2009
Posts: 102
Reputation: jomanlk is an unknown quantity at this point 
Solved Threads: 18
jomanlk jomanlk is offline Offline
Junior Poster
 
0
  #8
Nov 5th, 2009
@Atli
Good point. I didn't know this. This can be a problem if your MySQL server is not controlled by you alone.
Reply With Quote Quick reply to this message  
Join Date: Sep 2005
Posts: 1,081
Reputation: digital-ether is just really nice digital-ether is just really nice digital-ether is just really nice digital-ether is just really nice 
Solved Threads: 66
Moderator
digital-ether's Avatar
digital-ether digital-ether is offline Offline
Veteran Poster
 
1
  #9
Nov 5th, 2009
Originally Posted by ezb View Post
I am currently building an online system, it has come to the point to think about securing peoples passwords. How ever, for admin reasons I was wondering if it was possible to decode the encoded password, I believe this is not possible with md5 but hoping there is another method?

Any help would be geat, also any other information regarding safety, thanks.
There really is no reason to use 2 way encryption on passwords. Retrieving the password is not the concern, gaining access to their account is. So if the user forgets their password, send them a token through email to set a new password.

Use secure hashes to store the passwords. Add a long salt before hashing, and hash that password and salt together 100,000 times or so. Make sure you use quite a bit of memory in the process.
www.fijiwebdesign.com - web design and development and fun
Cpanel Email - Let users Register email accounts on your website upon registration
Ajax Chat - Fully browser based chat!
Reply With Quote Quick reply to this message  
Join Date: May 2007
Posts: 444
Reputation: Atli is on a distinguished road 
Solved Threads: 56
Atli's Avatar
Atli Atli is offline Offline
Posting Pro in Training
 
0
  #10
Nov 5th, 2009
@digital-ether
I agree with you 100%, although 100.000 iterations seem a bit excessive to me. (But that's just me :-P)
However, I got to ask why you specifically mention high memory usage?
Please do not ask for help in a PM. Use the forums.
And use [code] tags!
Reply With Quote Quick reply to this message  
Reply
1 2

Quick Reply to Thread
Message:



Similar Threads
Other Threads in the PHP Forum
Thread Tools Search this Thread



.htaccess ajax apache api array beginner binary broken buttons cakephp checkbox class cms code cron curl database date directory display download dynamic ebooks echo email error file files folder form forms function functions google href htaccess html image include insert integration ip java javascript joomla limit link login loop mail mediawiki menu mlm mod_rewrite multiple mysql number oop paypal pdf php phpincludeissue phpmyadmin problem query radio random recursion regex remote script search server sessions sms soap source sp space speed sql subdomain syntax system table tag tutorial update upload url validation validator variable vbulletin video web websphere white xml youtube
About Us | Contact Us | Advertise | DaniWeb | Acceptable Use Policy | RSS Feed

©2003 - 2009 DaniWeb® LLC