#1
  1. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2000
    Posts
    1
    Rep Power
    0
    Hi!!

    I'm making an e-commerce shop. Users kan signup and give a password.
    Passwords must be encrypted, but I'm looking for the best way.

    I found crypt(string [, salt-string]) and md5(string).

    Which one is better to use?? Or is there a better way to encrypt my passwords.

    Greezzz Anita

  2. #2
  3. Banned (not really)
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 1999
    Location
    Brussels, Belgium
    Posts
    14,642
    Rep Power
    4476
    I personally use md5($string) and it works fine.

    I've heard some people complain that it's not actually encrypting...it's just a hash of the string. I don't know what all that mumbo jumbo is, but I know it works and it's really hard for someone to get the original word back just knowing the md5 hash. Exactly 'how hard', I don't know.

    On another note, there is a javascript md5() function. You can get the md5 hash of the password on the client side, and only pass the hash over the net, that way the original password is never sent over the web. I've seen this function packaged with PHPLIB, but with a little searching, I'm sure you could find it elsewhere.

    Hope that helps...

    ---John Holmes...

    ------------------
    *************************************************************
    * The manual can probably answer 90% of your questions... *
    * *
    * PHP Manual. www.php.net/manual *
    * MySQL Manual: www.mysql.com/documentation/mysql/bychapter *
    *************************************************************
  4. #3
  5. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2000
    Posts
    0
    Rep Power
    0
    Well md5 is almost unreversable, as you would have to know the key length etc, also for any hash, there's an infinite number of strings that could produce it.

    I don't see the point having a javascript doing the hash and sending it over. Anyone who wants to mess around with that user and has been able to get the hash can log in as him, this doesn't require anything else than just modifying the form in your browser, so that it sends over whatever you write in it (in this case you would write the md5 hash into the form).

    One way to do this securely, would be to use RSA or some other public key crypto algorithm, and then just encrypting your password with that RSA key and send it over. No eavesdropper would be able to figure out your password. If you want to store the passwords securily in a database, so that noone could get the passwords by cracking into it, just uncrypt the encrypted key you got over the web with your private RSA key, hash the result with md5 and compare it against the md5 hash stored in your database.

    The only way to crack this approach would be to crack the RSA key...

    [This message has been edited by desti (edited October 09, 2000).]

Similar Threads

  1. php script to change pop3 password?
    By jensm in forum PHP Development
    Replies: 0
    Last Post: February 13th, 2004, 02:45 PM
  2. PHP login script- forgotten password
    By tk1 in forum PHP Development
    Replies: 2
    Last Post: February 5th, 2004, 08:33 AM
  3. XML > Sablotron > PHP > HELP!
    By Wzd in forum PHP Development
    Replies: 1
    Last Post: January 18th, 2004, 01:05 PM
  4. PHP > HTM (mod rewrite)
    By wwhhomes in forum Apache Development
    Replies: 4
    Last Post: January 18th, 2004, 10:20 AM
  5. PHP Newbie > using HTMLAREA to save texarea
    By wonderdog in forum PHP Development
    Replies: 1
    Last Post: January 16th, 2004, 05:28 AM

IMN logo majestic logo threadwatch logo seochat tools logo