Dream.In.Code > Programming Help > PHP

Welcome to Dream.In.Code
	Getting PHP Help is Easy! Join 132,630 PHP Programmers for FREE! Get instant access to thousands of PHP experts, tutorials, code snippets, and more! There are 1,071 people online right now. Registration is fast and FREE... Join Now! Chat LIVE With a PHP Expert

best method of encryption

2 Pages

1 2 >

Reply to this topic

Start new topic

best method of encryption, for passwords

fyrestorm	27 Nov, 2005 - 05:29 PM Post #1
D.I.C Lover Joined: 4 Apr, 2002 Posts: 3,103 Thanked 2 times Dream Kudos: 228 My Contributions	I've always used md5() for password encyrption...is that still a good method or is there some better method that I should be using?
	This Post Was Helpful! ^New!


Register for Free to Make These Ads Go Away!

Amadeus	27 Nov, 2005 - 05:34 PM Post #2
g++ -o drink whiskey.cpp Joined: 12 Jul, 2002 Posts: 12,176 Thanked 33 times Dream Kudos: 25 My Contributions	Hmm...you'l probably get a million differing answers about what set of encryption algorithms are best, coupled with some information regarding some of the breakthroughs made in breaking md5 in the last year or so. I guess the real answer depends on the answer to this: How important is the data to you? Is it confidential financial type stuff, or username password type stuff? In my opinion, md5 is more than enough for your average data that you want kept out of harm's way. That's just me, however.
	This Post Was Helpful! ^New!

fyrestorm	27 Nov, 2005 - 06:12 PM Post #3
D.I.C Lover Joined: 4 Apr, 2002 Posts: 3,103 Thanked 2 times Dream Kudos: 228 My Contributions	well, i was just thinking passwords at this point, but down the line, i'll have to store cc info in a db, and i know that will have to be a whole different encyrption method because i'll have to be able to decrypt them as well...
	This Post Was Helpful! ^New!

Wizzy	27 Nov, 2005 - 06:18 PM Post #4
D.I.C Regular Joined: 20 Nov, 2005 Posts: 408 Thanked 1 times Dream Kudos: 145 My Contributions	Okay i'm guessing your familar with mhash which allows you to pick a hash...you can select over 20 i think. But I promise you at this moment, md5() is the one that will defend you the most. It creates a hash code in 32bit (32 Characters) from a plain text and the only way to crack it is to match it...if you have this for example: CODE <?php $password = 'MyPasswordOthersDontKnow'; md5( $password ); # MyPasswordNotEvenIKnow ?> you can even select md5 within a db, it is very useful and shows no flawless signs yet. There is no need to decrypt it, check the hash: CODE <?php $username = 'Username'; $password = 'Password'; $dbpassword = mysql_query( "SELECT password FROM members WHERE username='$username'" ); if( $password === $dbpassword[0] ) { echo 'Access Granted'; } else { echo 'Access Denied'; } ?> This post has been edited by Wizzy: 27 Nov, 2005 - 06:23 PM
	This Post Was Helpful! ^New!

skyhawk133	27 Nov, 2005 - 07:13 PM Post #5
Head DIC Head Joined: 17 Mar, 2001 Posts: 14,846 Thanked 45 times Dream Kudos: 1650 Expert In: Web Development My Contributions	MD5 is actually no longer recommended for encryption due to the recent MD5 Collision weakness. The weakness exists in SHA-1 as well. The current suggestions for encryption is to use SHA-256 or SHA-512. You can read about the MD5 collision source code here: http://it.slashdot.org/article.pl?sid=05/1...037232&from=rss
	This Post Was Helpful! ^New!

Wizzy	27 Nov, 2005 - 08:27 PM Post #6
D.I.C Regular Joined: 20 Nov, 2005 Posts: 408 Thanked 1 times Dream Kudos: 145 My Contributions	hey i never knew that. thanks admin!
	This Post Was Helpful! ^New!

cyberscribe	27 Nov, 2005 - 09:01 PM Post #7
humble.genius Joined: 5 May, 2002 Posts: 1,062 Thanked 2 times Dream Kudos: 154 My Contributions	Salting md5 for one-way encryption can bolster security: CODE ... $salt = '470dcd7b'; //or whatever $password_hash = md5($salt.$password.$salt); ... and CODE if ($password_hash === md5($salt.$password.$salt)) { //authentication successful ... You don't want to store credit cards in a database. Trust me. Use a third-party service like VeriSign Recurring Biling. Unless you want to be responsible for 100% of the data security issues on the server and with all the clients involved (i.e. every browser that accesses your admin), and pass PCI compliance when your vendor starts doing more than 20,000 cards per year, leave card storage to a CISP-certified payment gateway. If don't heed my warning and still decide to do it yourself, use strong encryption like triple DES or (ideally) AES. You can use the mcrypt library in PHP for such purposes, but there are many issues involved with realtime encryption in a plain-text scripting environment. Check out this article: http://www.robertpeake.com/archives/33-PHP...cle-Online.html for more.
	This Post Was Helpful! ^New!

Israel	28 Nov, 2005 - 03:40 AM Post #8
D.I.C Addict Joined: 21 Nov, 2004 Posts: 604 Dream Kudos: 175 My Contributions	I'm not really an expert on encryption. But I've been told by many people that as far as key-gen's and brute-forcers go, the best one is the one you wrote yourself. I would have to assume that the same would be true for securing the lock as it would be for picking it.
	This Post Was Helpful! ^New!

fyrestorm	28 Nov, 2005 - 07:57 AM Post #9
D.I.C Lover Joined: 4 Apr, 2002 Posts: 3,103 Thanked 2 times Dream Kudos: 228 My Contributions	QUOTE(cyberscribe @ 27 Nov, 2005 - 09:58 PM) Salting md5 for one-way encryption can bolster security: CODE ... $salt = '470dcd7b'; //or whatever $password_hash = md5($salt.$password.$salt); ... and CODE if ($password_hash === md5($salt.$password.$salt)) { //authentication successful ... You don't want to store credit cards in a database. Trust me. Use a third-party service like VeriSign Recurring Biling. Unless you want to be responsible for 100% of the data security issues on the server and with all the clients involved (i.e. every browser that accesses your admin), and pass PCI compliance when your vendor starts doing more than 20,000 cards per year, leave card storage to a CISP-certified payment gateway. If don't heed my warning and still decide to do it yourself, use strong encryption like triple DES or (ideally) AES. You can use the mcrypt library in PHP for such purposes, but there are many issues involved with realtime encryption in a plain-text scripting environment. Check out this article: http://www.robertpeake.com/archives/33-PHP...cle-Online.html for more. i know that i don't want to store cc info in a db, unfortunately, it's already being done, but on a windows server using asp (something i know nothing about), the billing isn't recurring, and i don't think we even hit 1000 transactions a year, and the billing isn't done online...we need the cc in the db so that they can be referenced twice, once when the order is placed, and again when it's complete, after that we can delete it from the db... with that knowledge, what's the best way to go about doing this?
	This Post Was Helpful! ^New!

Nova Dragoon	28 Nov, 2005 - 10:30 AM Post #10
The Innocent Shall Suffer, Big Time Joined: 16 Aug, 2001 Posts: 6,128 Thanked 4 times Dream Kudos: 515 Expert In: Python, Linux My Contributions	if you are taking CC info, you'll want to run a certificate server side, which will encrypt the entire http stream. (i didnt read this in its entiretly, my bad if it was aldready mentioned)
	This Post Was Helpful! ^New!

Wizzy	28 Nov, 2005 - 06:36 PM Post #11
D.I.C Regular Joined: 20 Nov, 2005 Posts: 408 Thanked 1 times Dream Kudos: 145 My Contributions	You cannot secure a protocol even with ssl if you don't have other security precautions. You could make a .htaccess file and set all documents to be gzipped in UTF-8 format; you could cloak your link by using post in forms and perhaps some javascript. You cannot be too secure because then you give hackers a challenge and thats what they look for in sites.
	This Post Was Helpful! ^New!

fyrestorm	28 Nov, 2005 - 08:13 PM Post #12
D.I.C Lover Joined: 4 Apr, 2002 Posts: 3,103 Thanked 2 times Dream Kudos: 228 My Contributions	I was reading in my information securities book that AES is the strongest form of encryption and even with a super computer it would still take millions upon millions of years to crack...they're credit card numbers and it's a huge liability to be storing them even if for only a little while...if the best encryption method attracks hackers, so be it...they won't be able to crack it anytime soon...
	This Post Was Helpful! ^New!

2 Pages

1 2 >

Fast Reply

Reply to this topic

Start new topic

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Time is now: 11/23/08 03:56AM

Invision Power Board v2.1.7 © 2008 IPS, Inc.

Licensed to: MediaGroup1

Advertising | Terms of Use | Privacy Policy | About Us | Site Map

Forum Index: Programming Help | C and C++ | Visual Basic | Java | VB.NET | C# | ASP.NET | PHP | ColdFusion | Perl and Python | Ruby | Databases | Other Languages | Game Programming | Software Development | Computer Science | Industry News | Programming Tutorials | C++ Tutorials | Visual Basic Tutorials | Java Tutorials | VB.NET Tutorials | C# Tutorials | PHP Tutorials | Linux Tutorials | ColdFusion Tutorials | Windows Tutorials | HTML/JavaScript Tutorials | CSS Tutorials | Flash Tutorials | Web Promotion Tutorials | Photoshop Tutorials | Software Development Tutorials | Database Tutorials | Other Language Tutorials |

Copyright 2001-2008 MediaGroup1 LLC, All Rights Reserved
A MediaGroup1 LLC Production - Version 6.0.2.1.36

Search^Updated!w00t

Over 509,000 Pages! Advanced Forum Search

Live PHP Help!

PHP Tutorials

Reference Sheets

PHP Snippets

Bye Bye Ads

Free DIC T-Shirt

T-Shirt Example

Related Sites

Monthly Drawing

Partners

Top Contributors

Top 10 Kudos This Month