Ad:

PHP Discussion Thread
Unsolved
Views: 12334

Page 1
2
Next

You are currently viewing page 1 of this multi-page discussion thread

Oct 15th, 2007

Password encoding/decoding

Expand Post »

I am currently building an online system, it has come to the point to think about securing peoples passwords. How ever, for admin reasons I was wondering if it was possible to decode the encoded password, I believe this is not possible with md5 but hoping there is another method?

Any help would be geat, also any other information regarding safety, thanks.

Similar Threads

Qestion on Encoding and Decoding. in Python
Slow computer + about:blank homepage in Viruses, Spyware and other Nasties
Encoding/Decoding in C
homepage hijack "Search for..." about:blank in address in Viruses, Spyware and other Nasties
Trojan Problem in Viruses, Spyware and other Nasties

ezb

Reputation Points: 10

Solved Threads: 3

Newbie Poster

Offline

23 posts
since Jul 2007

Permalink

Oct 15th, 2007

Re: Password encoding/decoding

Here is a good PHP5 class that uses the mcrypt library for two way encryption.

php Syntax (Toggle Plain Text)
<?php
 
class Encryption
{
    static $cypher = 'blowfish';
    static $mode   = 'cfb';
    static $key    = '1a2s3d4f5g6h';
 
    public function encrypt($plaintext)
    {
        $td = mcrypt_module_open(self::$cypher, '', self::$mode, '');
        $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
        mcrypt_generic_init($td, self::$key, $iv);
        $crypttext = mcrypt_generic($td, $plaintext);
        mcrypt_generic_deinit($td);
        return $iv.$crypttext;
    }
 
    public function decrypt($crypttext)
    {
        $plaintext = "";
        $td        = mcrypt_module_open(self::$cypher, '', self::$mode, '');
        $ivsize    = mcrypt_enc_get_iv_size($td);
        $iv        = substr($crypttext, 0, $ivsize);
        $crypttext = substr($crypttext, $ivsize);
        if ($iv)
        {
            mcrypt_generic_init($td, self::$key, $iv);
            $plaintext = mdecrypt_generic($td, $crypttext);
        }
        return $plaintext;
    }
}
 
// Encrypt text
$encrypted_text = Encryption::encrypt('this text is unencrypted');
 
// Decrypt text
$decrypted_text = Encryption::decrypt($encrypted_text);
 
 
?>
<?php

class Encryption
{
    static $cypher = 'blowfish';
    static $mode   = 'cfb';
    static $key    = '1a2s3d4f5g6h';

    public function encrypt($plaintext)
    {
        $td = mcrypt_module_open(self::$cypher, '', self::$mode, '');
        $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
        mcrypt_generic_init($td, self::$key, $iv);
        $crypttext = mcrypt_generic($td, $plaintext);
        mcrypt_generic_deinit($td);
        return $iv.$crypttext;
    }

    public function decrypt($crypttext)
    {
        $plaintext = "";
        $td        = mcrypt_module_open(self::$cypher, '', self::$mode, '');
        $ivsize    = mcrypt_enc_get_iv_size($td);
        $iv        = substr($crypttext, 0, $ivsize);
        $crypttext = substr($crypttext, $ivsize);
        if ($iv)
        {
            mcrypt_generic_init($td, self::$key, $iv);
            $plaintext = mdecrypt_generic($td, $crypttext);
        }
        return $plaintext;
    }
}

// Encrypt text
$encrypted_text = Encryption::encrypt('this text is unencrypted');

// Decrypt text
$decrypted_text = Encryption::decrypt($encrypted_text);


?>

Last edited by stymiee; Oct 15th, 2007 at 11:48 am.

stymiee

Moderator

Reputation Points: 161

Solved Threads: 38

He's No Good To Me Dead

Offline

1,422 posts
since May 2006

Permalink

Oct 15th, 2007

Re: Password encoding/decoding

Thanks alot for your help, however, I am using 4.3.9, sorry I should have mentioned this to begin with, the code you gave strictly php5?

ezb

Reputation Points: 10

Solved Threads: 3

Newbie Poster

Offline

23 posts
since Jul 2007

Permalink

Oct 16th, 2007

Re: Password encoding/decoding

It can be changed to work with PHP 4. You just need to change the PHP 5 features to 4:

php Syntax (Toggle Plain Text)
<?php
 
class Encryption
{
    var $cypher = 'blowfish';
    var $mode   = 'cfb';
    var $key    = '1a2s3d4f5g6h';
 
    function Encryption()
    {
        // do nothing
    }
 
    function encrypt($plaintext)
    {
        $td = mcrypt_module_open($this->cypher, '', $this->mode, '');
        $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
        mcrypt_generic_init($td, $this->key, $iv);
        $crypttext = mcrypt_generic($td, $plaintext);
        mcrypt_generic_deinit($td);
        return $iv.$crypttext;
    }
 
    function decrypt($crypttext)
    {
        $plaintext = "";
 
        $td        = mcrypt_module_open($this->cypher, '', $this->mode, '');
        $ivsize    = mcrypt_enc_get_iv_size($td);
        $iv        = substr($crypttext, 0, $ivsize);
        $crypttext = substr($crypttext, $ivsize);
        if ($iv)
        {
            mcrypt_generic_init($td, $this->key, $iv);
            $plaintext = mdecrypt_generic($td, $crypttext);
        }
        return $plaintext;
    }
}
 
?>
<?php

class Encryption
{
    var $cypher = 'blowfish';
    var $mode   = 'cfb';
    var $key    = '1a2s3d4f5g6h';

    function Encryption()
    {
        // do nothing
    }

    function encrypt($plaintext)
    {
        $td = mcrypt_module_open($this->cypher, '', $this->mode, '');
        $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
        mcrypt_generic_init($td, $this->key, $iv);
        $crypttext = mcrypt_generic($td, $plaintext);
        mcrypt_generic_deinit($td);
        return $iv.$crypttext;
    }

    function decrypt($crypttext)
    {
        $plaintext = "";

        $td        = mcrypt_module_open($this->cypher, '', $this->mode, '');
        $ivsize    = mcrypt_enc_get_iv_size($td);
        $iv        = substr($crypttext, 0, $ivsize);
        $crypttext = substr($crypttext, $ivsize);
        if ($iv)
        {
            mcrypt_generic_init($td, $this->key, $iv);
            $plaintext = mdecrypt_generic($td, $crypttext);
        }
        return $plaintext;
    }
}

?>

stymiee

Moderator

Reputation Points: 161

Solved Threads: 38

He's No Good To Me Dead

Offline

1,422 posts
since May 2006

Permalink

Nov 5th, 2009

-1

Re: Password encoding/decoding

can this store, say for instance, a PayPal token that I am supposed to keep hidden?

bennyfreshness

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

1 posts
since Nov 2009

Permalink

Nov 5th, 2009

Re: Password encoding/decoding

You can do it at the database level as well if you want.

For INSERT

PHP Syntax (Toggle Plain Text)
$aes_key = "EF77FHH7-E6G1-31y4-w2D7-G4gH8HWF20H1";
$sql = "INSERT INTO user(username, pass) VALUES ('bob', AES_ENCRYPT('password', '$aes_key' ))";
$aes_key = "EF77FHH7-E6G1-31y4-w2D7-G4gH8HWF20H1";
$sql = "INSERT INTO user(username, pass) VALUES ('bob', AES_ENCRYPT('password', '$aes_key' ))";

And for SELECT

PHP Syntax (Toggle Plain Text)
$aes_key = "EF77FHH7-E6G1-31y4-w2D7-G4gH8HWF20H1";
$sql = "SELECT *, AES_DECRYPT(password, '$aes_key ') AS password FROM  user";
$aes_key = "EF77FHH7-E6G1-31y4-w2D7-G4gH8HWF20H1";
$sql = "SELECT *, AES_DECRYPT(password, '$aes_key ') AS password FROM  user";

You'll have to keep the AES key as a config value or something. If you lose it you can't decrypt the data

More references here.

Last edited by jomanlk; Nov 5th, 2009 at 4:05 am. Reason: Corrected code error

jomanlk

Reputation Points: 13

Solved Threads: 19

Junior Poster

Offline

103 posts
since Oct 2009

Permalink

Nov 5th, 2009

Re: Password encoding/decoding

Hey.

Be careful if you do this in a SQL query tho. Some MySQL servers use plain-text query logs, so while your passwords might be encrypted in the database itself, they would be stored in their original form in the logs.

See these two pages in the manual for details on that.

Atli

Reputation Points: 93

Solved Threads: 70

Posting Pro

Offline

526 posts
since May 2007

Permalink

Nov 5th, 2009

Re: Password encoding/decoding

@Atli
Good point. I didn't know this. This can be a problem if your MySQL server is not controlled by you alone.

jomanlk

Reputation Points: 13

Solved Threads: 19

Junior Poster

Offline

103 posts
since Oct 2009

Permalink

Nov 5th, 2009

Re: Password encoding/decoding

Click to Expand / Collapse Quote originally posted by ezb ...

I am currently building an online system, it has come to the point to think about securing peoples passwords. How ever, for admin reasons I was wondering if it was possible to decode the encoded password, I believe this is not possible with md5 but hoping there is another method?

Any help would be geat, also any other information regarding safety, thanks.

There really is no reason to use 2 way encryption on passwords. Retrieving the password is not the concern, gaining access to their account is. So if the user forgets their password, send them a token through email to set a new password.

Use secure hashes to store the passwords. Add a long salt before hashing, and hash that password and salt together 100,000 times or so. Make sure you use quite a bit of memory in the process.

digital-ether

Moderator

Reputation Points: 457

Solved Threads: 101

Nearly a Posting Virtuoso

Offline

1,250 posts
since Sep 2005

Permalink

Nov 5th, 2009

Re: Password encoding/decoding

@digital-ether
I agree with you 100%, although 100.000 iterations seem a bit excessive to me. (But that's just me :-P)
However, I got to ask why you specifically mention high memory usage?

Atli

Reputation Points: 93

Solved Threads: 70

Posting Pro

Offline

526 posts
since May 2007

Page 1
2
Next

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.

Previous Thread in PHP Forum Timeline: To restrict users to choose date from date picker only

Next Thread in PHP Forum Timeline: Messaging System

DaniWeb Message

Cancel Changes

User Name
Password