Password hashing/encrypting? / Forums / Community / EllisLab

Forum Logo

Password hashing/encrypting?

Yazan

Posted: 01 November 2011 03:56 AM

[ Ignore ]

Joined: 2011-10-31
2 posts

Hello,

I have a table in phpMyAdmin with usernames and passwords. I’d like to encrypt these passwords. How do I do that?

Is there a way to do this using the SQL console?

WanWizard

Posted: 01 November 2011 06:56 AM

[ Ignore ] [ # 1 ] [ Rating: 0 ]

Joined: 2008-11-04
4422 posts

There’s a difference between hashing and encrypting.

Hashing is a one-way process. You store the hashed password in the database, and when a user types the password, you hash it first, and then look it up in the database. No readable passwords are stored, and you can not reconstruct the password from the hash.

Encryption is a two-way process. You can decrypt something you have encrypted, and get the original back. For encryption you need a an encryption key (called password by MySQL) which you need to provide to decrypt. You will have to store this key in your application to be able to encrypt/decrypt.

Hashing is faster then encrypting, and only use encryption when you need to be able to retrieve the original.

Also, not all algorithms are very secure. MD5 for example is easily broken. If you want security, look at bcrypt or PBKDF2. Both are not supported by MySQL, but there are PHP libraries available that provide these algorithms.

For MySQL hashing and encrypting, see http://dev.mysql.com/doc/refman/5.5/en/encryption-functions.html

Signature

Me: WanWizard.eu | My company: Exite | Datamapper: DataMapper ORM

gRoberts

Posted: 01 November 2011 08:25 AM

[ Ignore ] [ # 2 ] [ Rating: 0 ]

Joined: 2007-11-23
332 posts

That said, hashing can be useful. It can be reversed, only if you know how it was generated in the first place.

Using a straight MD5 hash on the password is silly, but what I do, in a combination of ways…

$Password = 'test'; $UserID = 1; $HashedPassword = md5(md5($UserID).md5($Password)); 

But if your really up tight on security, then using the above would be a solution/start…

jcorry

Posted: 01 November 2011 01:12 PM

[ Ignore ] [ # 3 ] [ Rating: 0 ]

Joined: 2011-10-13
10 posts

Yazan - 01 November 2011 03:56 AM
Hello,

I have a table in phpMyAdmin with usernames and passwords. I’d like to encrypt these passwords. How do I do that?

Is there a way to do this using the SQL console?

Yes, run this query:


UPDATE users SET password = SHA1(CONCAT(password, username))

That’ll hash all of your passwords using the user’s username as the salt…hope you don’t let users change their username.

Then, to check if a login is valid you compare the same values:

Something like this:

$this->db->select('id')
       ->from('users')
       ->where(array('username' => $username, 'password' => sha1($password . $username))
       ->get()
       ->row(); 

If you get a row back, the $username and $password were correct…if you don’t, they weren’t.

jcorry

Posted: 01 November 2011 01:57 PM

[ Ignore ] [ # 4 ] [ Rating: 0 ]

Joined: 2011-10-13
10 posts

Whoops! Duplicate!

Yazan

Posted: 02 November 2011 04:22 AM

[ Ignore ] [ # 5 ] [ Rating: 0 ]

Joined: 2011-10-31
2 posts

Thank you so much for your replies everyone! You’ve helped me so much!

Thank you!