Comments on: Password Encryption and Decryption Technique in PHP

By: K. Matheny

K. Matheny — Sat, 23 Jan 2010 20:49:09 +0000

I’ve always been taught that when storing sensitive data, it’s needs to be a one-way encryption, meaning there should be no decryption method. You should only be able to encrypt a string and say whether or not it matches another encrypted string to determine its validity.

Not a bad article though.

By: k satyadeep

k satyadeep — Mon, 07 Dec 2009 18:29:10 +0000

very useful info thanks

By: Jared kidambi

Jared kidambi — Fri, 30 Oct 2009 16:04:42 +0000

I tried it out and men, this is miracle. lovely work

By: ray

ray — Sun, 17 May 2009 14:24:23 +0000

banu, I’m not an expert but since no-one else has replied I’ll make a couple of suggestions (please no-one bite my head off if they are naive!)..

Take a look at GPG (Gnu Privacy Guard free open source) from http://www.gnupg.org

Or failing that maybe there’s a way to zip your files with passwords? (just an off the cuff idea)

By: ray

ray — Sat, 16 May 2009 16:42:00 +0000

Anonamoose has indicated in quite strong terms that the use of MySQL’s AES_ENCRYPT( )and AES_DECRYPT() functions is a very bad idea (although I personally see “insanity” and “ignorance” as very different conditions and consider myself to be suffering more from the latter than the former), but can anyone tell me why? I appreciate that for password security hashing the password and comparing against hashed entered passwords is the sensible method, but what about encryption of email addresses, credit card details, etc etc. Is the implication that use of AES_ENCRYPT() for this would also consitute a need for pyschiatric care? I suppose I COULD try the suggestion of Googling for something like “why-is-it-a-mad-idea-to-use-AES_ENCRYPT()” but then I really think they would need to take me a way in a van! Can anyone enlighten me?

By: ray

ray — Sat, 16 May 2009 16:31:14 +0000

Rajeskar, I’m sure every hacker in the world would love to know how to do that. But from what I’ve gathered (and I’m a “kiddie” at this) the whole point of using SHA1() is that it produces a hash or pseudo encrption of a string that CANNOT be decrypted. Its not so much an encryption as a “unique” (and I use the word with caution as it may not always necessarilly be unique) aspect or representation of the string that created it., but holding no information as to exactly what the original string looked like or how to get back to it. Its only use is to compare it against another hashed string to see if both hashes look like they probably (in fact “almost” certainly) came from the same original string (i.e. that the entered password is the same as the stored one) .

By: Asylum

Asylum — Fri, 15 May 2009 00:41:56 +0000

md5 and sha are hash algorithms, not encryption. Here are a few PHP encryption functions.
crypt
mcrypt

By: banu

banu — Wed, 22 Apr 2009 18:38:45 +0000

Hi ,I am looking for a way to encrypt and decrypt a file that I’m going to store on the filesystem. I am looking for something like base 64 encode. but base 64 doesnt use a key to encode. I would like something that I can encode using key and decode using key. It should be able to encode and decode all kinds of files that I upload.

Any help would be really appreciated.

thanks,

By: Rajasekar

Rajasekar — Fri, 03 Apr 2009 07:20:15 +0000

I generated sha1() string in order to store a password in the table. But i want to know how to retrive back the original password as a normal string in order to send the password to the users who have submitted the forgotten request. I want to know is there any function that i can retireve the password in normal string form. coding done in PHP

Please any one help me on this…

By: the k

the k — Sat, 14 Mar 2009 20:51:12 +0000

What is it with people thinking applying a poor “encryption” multiple times makes it any less poor? Generally, if you don’t see the flaws above commenters point out and understand what the big idea is, you might as well use no hashing at all and receive the same functionality and security with less work.

By: kapil

kapil — Wed, 17 Sep 2008 07:20:13 +0000

Thankx…. i was looking for custom function.. to encryption and decryption.. its easy and usefull..

thankx SEO Expert..

By: Bonafide

Bonafide — Thu, 31 Jul 2008 13:19:50 +0000

This IS a helpful article for beginners.
If you are one, expand on this simple technique. Mix it up a bit.

If you have any level of security concern, don’t use this because its way too obvious.

Generally helpful comments on this site too – kudos

By: Dominus Chaos

Dominus Chaos — Wed, 27 Feb 2008 12:39:38 +0000

I’ve found this tecnique somewhat usefull.
I’m managing to get a password system with 2 parameters.( i could join 2 strings in one also)
it will be:

PASSWORD
input_key [oper] mac_address = reservible_pswd.
if i wanna install in other machine i’ll only have to calculate a new input_key (will be outputed) to give the save reservible_pswd with the new mac_adress.

i can then STORE data in database with base64 and\or gzdeflate and somehow with the reservible_password.

them i can keep the reversible password HASHED in a file.

sorry for my bad english.

By: Anonamoose

Anonamoose — Sun, 17 Feb 2008 20:17:41 +0000

Roshan I appreciate you want to help beginners and hope you do continue, but my fear is by ‘dumbing down’ some of the aspects you harm them in the long term. For instance the poster who sugested using the MySQL functions, you would have to be insane to do this if you want an even remotely secure application. Also look at the people linking your article, they do not question if it is safe or even the proper way of doing it, this is insane for security, if you don’t understand it don’t do it!.
Hashing should always be ’salted’ (not mentioned in the article) once again the removal of complexity to make it easier to follow also removes some of the security given by this technique. I do not mean to pick on you personally, it’s just I found your article and had some time to spare.

By: Roshan

Roshan — Thu, 14 Feb 2008 04:40:47 +0000

Anonamoose i agree with you. Encryption is different than hashing and encoding in the book of cryptography. But this article is mainly for the beginners and my objective is to convert the password into unreadable format. If you look at the basic meaning of encryption in dictionary
http://dictionary.reference.com/browse/encryption
which refer it as “to encipher or encode.”. So we think we need to complain dictionary to remove that meaning. Isn’t it ??