Asked 8 years ago
6 Oct 2016
Views 2311
debugger

debugger posted

how to encrypt password with more security in PHP ?

now using md5 to encrypt password before save to database in PHP

$encrypted_password = md5($password);

checking password for authentication by md5 .by comparing hash

if(md5($given_password)==$encrypted_password){
//valid password
}


so i want to make more secure password and please define the code of the how to check for authentication for login time also.
$password=,md5(sha1($_POST['password']); - Rasi  
Feb 11 '17 11:54
bcrypt is good option bcrypt also use in Laravel authentication. - kiran  
Feb 11 '17 12:00
md5 is not an encryption , md5 is not for Passwords it is for validation of file content. Use password_hash for passwords. -  
Feb 15 '17 09:34
ravi

ravi
answered Nov 30 '-1 00:00

Make it salty by adding salt.
how to add salt to password . here is the code

function MakeItSalty($password,$salt=''){
   $encrypted_password=md5($password);//first level encryption
   if($salt=='')$salt=mt_rand(1,10000);//salt
   $encrypted_password=md5($encrypted_password.$salt);
   return array($encrypted_password,$salt);
}

MakeItSalty function take password as argument and return array encrypted password and salt.you need to save both in database.

Now Authentication for given password

function veriftyAuthWithSalt($entered_password,$datbase_stored_encrypted_password,$datbase_stored_hash){
   reutrn($datbase_stored_encrypted_password=MakeItSalty($entered_password,$datbase_stored_hash));
}

To verify same password with encrypted by MakeItSalty function use veriftyAuthWithSalt function . i take long name in argument its only for good explanation you can use smaller as per your need.
reutrn($datbase_stored_encrypted_password=MakeItSalty($entered_password,$datbase_stored_hash));
this line of code is making salty to entered password with same hash what we stored at database. i hope it clear

so tell me if still any problem persist
kiran

kiran
answered Nov 30 '-1 00:00

most of people use md5() function to encrypt the password in PHP , but i do not advise to use md5 to encrypt the password. but also sha1() also not designed to encrypt the password. i prefer bcrypt to encrypt the password in php


1. Use BCRYPT , to encrypt the password.

password_hash is the function in PHP to encrypt the password

echo password_hash("password", PASSWORD_BCRYPT);


BCRYPT , will produce a 60 character hash result. and it always start with "$2y$". its good to use blowfish algorithm for password encryption.

2. use crypt function to encrypt the password in PHP .


$hashed_password = crypt('password');

crypt make password salty by default so crypt good to use for encrypt the password.

how to verify the password which encrypted with crypt function ?


if (hash_equals($hashed_password, crypt($_POST['password'], $hashed_password))) {
   echo "Password verified!";
}

shyam

shyam
answered Nov 30 '-1 00:00

Use PasswordHash Class
which you can found on link : http://www.openwall.com/phpass/


include("PasswordHash.php");
// Base-2 logarithm of the iteration count used for password stretching
$hash_cost_log2 = 8;
// Do we require the hashes to be portable to older systems (less secure)?
$hash_portable = FALSE;
$hasher = new PasswordHash($hash_cost_log2, $hash_portable);
$hash = $hasher->HashPassword($pass);
if (strlen($hash) < 20){
echo "Not Hashed properly";
unset($hasher);
}

most of OpenSource CMS : Wordpress , Joomla , Drupal ,etc. use this Hashing Class in php . so use it be Glad !!

Mitul Dabhi

Mitul Dabhi
answered Nov 30 '-1 00:00

you can generate seed from current time which help you to very unique seed / salt each time . more unique seed / salt means more secure password.


  function getSeed(){
	return $seed = md5(time());
 }
 function encyrpt($password){
		 $seed=getSeed();
		 $md5SaltedPass = md5(md5($password).$seed);
	 return array("seed"=>$seed,"salted_pass"=>$md5SaltedPass);
}
print_r(encyrpt("IlovePhp"));
Nilesh

Nilesh
answered Nov 30 '-1 00:00

encrypting password will help to protect the password of user . even one have access of database .
md5 means one way encryption . so there is no turn back if one encrypted . only one can check it valid password or not by doing md5 on correct password and compare it with stored one.
so md5 itself is good way to protect password.

but still one of the hacking technique where hacker / cracker register with website with very common password and check user database who have same md5 as he has have , so it is easy track but if you add salt / seed , it increase difficulty level for hackers / crackers . so adding salt / seed in password on the time of encryption , there is no harm . even we can say it triple encryption because we encrypt seed and than merge it with encrypted password and encrypt again so there is triple layer of encryption.

how to generate seed / salt is also very tricky part
seed / salt should be unique and no one can predicate it ,

function GenerateSalt()
{
  list($usec, $sec) = explode(' ', microtime());
  $seed = $sec + $usec * 1000000;
mt_srand($seed);
$salt = mt_rand();
return $salt;

}


i used mt_rand because its generated non predictable and each time unique random value , rand is crap as compare to mt_rand . mt_rand is good and we used it with good seed. so its very well function for generate salt

now use the Salt

$salt=GenerateSalt();
$md5SaltedPass = md5(md5($password).$salt);
// now store both salt and salted password.


Authentication
1. check against with all user

//retrieve all salted password and salt from user databse
//suppose $user contain array of  salted password and salt from user databse
foreach($user as $value ){
if($md5SaltedPass = md5(md5($userPassword).$value['salt'])==$value['md5SaltedPass ']){
// ok i passed 
}
}

not recomended because if you have 2 million record . it take very good time with busy server so avoid by checking with all user

2. check with given email or username

// get one record which have given email or username 
if($md5SaltedPass = md5(md5($userPassword).$user_database_value['salt'])==$user_database_value['md5SaltedPass ']){
//ok i passed
}
Post Answer