The passwords in my database is now text and I just figured that I can use md5() function to convert the passwords to hashes, but now I want to convert all of my users in the database to hashes any idea to do that so I should not need to tell everybody to reenter their passwords,
This question is not duplicated with any other question Like Convert text passwords in database to hashed passwords?, because I want to know an idea how to do that in PHP, and Secure hash and salt for PHP passwords is also not duplicated because I want to change all password which exist already in my database I should not need to ask all of my user to change their passwords as I said above,
Any ideas?
All you have to do for your example is run each password through the hash (which I recommend is not md5 since that one now has known weaknesses) and store the hash back. Then when someone tries to log in, take their password and hash it, then compare the hash to what you have in the database. If you currently store the plaintext, you should not have to ask the users to renter anything, just hash what you have already.
Md5 encryption is not secure, but I have encrypted it for you.
password_hash() example using Argon2i
<?php
echo 'Argon2i hash: ' . password_hash('rasmuslerdorf', PASSWORD_ARGON2I);
?>
Related
Below i had encrypted a string varible using sha1. And now i would wish to decrypt data using sha1 function, but am going some where. Would some one come forward and guide me in proper way please.
Below is my code
<?php
$variable = "tiger";
echo $variable;
$encrypt = sha1($variable);
echo $encrypt;
$decrypt = sha1($encrypt);
echo $decrypt;
?>
And i get output like this
tiger
46e3d772a1888eadff26c7ada47fd7502d796e07
989df2c8b5ea37eb7cfde0527d94c01a15257002
SHA-1 is an one-way hash function.
According to wikipedia
A cryptographic hash function is a hash function which is considered
practically impossible to invert, that is, to recreate the input data
from its hash value alone.
http://en.wikipedia.org/wiki/Cryptographic_hash_function
Thus you simply can not decrypt it.
simply you can use custom encoding decoding for your password if not then you can use base64_encode() to store in db and base64_decode() for using in profile etc
SHA1 cannot be derypted easily.
The only way through it is a brute-force cracker.
They're widely available online like: http://md5-sha.com/md5-encrypt-hash-generator-online
Those websites have a large database of already hashed passwords which can be very useful.
Hope it helps, have a nice day.
SHA1 hash can't be derypted but you can try online on many different sites which have hug database of password and it's SHA1 hash. So you can try below online tools :
SHA1 Decoder Online
SHA1 tool
You cannot decrypt it.
Hashing is one way only - MD5 and SHA-1 both are one-way hash functions.
You have to create new hash of the input at the login form and check if it is equal to the stored hash.
SHA-1 can't be decrypted directly. This is the idea behind it: encryption that can't be decrypted easily.
The only way to solve it is brute-force: Try to guess the correct result by encoding phrases and checking if they fit the provided phrase.
If you want to use SHA-1 for stuff like logins: Encode the entered password in SHA-1 as well and check if it's the same as one saved in SHA-1.
In short sha1() CAN be decrypted. However only fairly simple strings can be. A password with numbers, upper and lower case and special characters will prove difficult but the likes of Password12345 can be decrypted via -
https://md5hashing.net/hash/sha1
***Bit more research. sha1() does not ever change how it encrypts the characters - so for example "MyPassword that was encrypted with sha1() 6 years ago STILL gives the output of "daa1f31819ed4928fd00e986e6bda6dab6b177dc" today in 2020.
These values are obviously stored in the above website and as time goes on the library of recognised passwords grows.
If you can't decrypt and you want to show the value then use this method.
Example you are creating login form with password encrypted and want to show password to user after login in their dashboard.
then create two columns one column is for encrypted_password and one for not_encrypted_password,
$not_encrypted_password="password";
$encrypted_password =sha1("password");
$sql = mysqli_query($conn,"INSERT INTO user (not_encrypted_password,encrypted_password)VALUES('$not_encrypted_password','$encrypted_password')");
in this way you can use login for column encrypted_password and to show password in dashboard for user use column not_encrypted_password.
Preface: Making a simple ecommerce website. Users are automatically added, when they register, via registration page. I want to automatically encrypt their passwords.
Problem: The MySQL website shows how to use AES_ECRYPT, but it seems like it's for Terminal-type settings where the Admin would manually do this.
I want to add some code to register.php to make it automatically encrypted.
Thanks!
As the other answers have stated, you should not encrypt your passwords. They should be hashed.
They should NOT use MD5 or SHA
You SHOULD use bcrypt
Encryption should not be used because you never want to be able to decrypt the values and see the passwords, because hackers could also do the same.
Hashes are like one way encryption, you create a hash, and when logging in, you hash the password they entered on login and compare it against the stored hash.
MD5 and SHA are not suitable for this anymore as computers are faster and faster they can hash dictionary words and common passwords at a rate of 60+ billion per second to try to get your passwords.
This topic has been covered to death on StackOverflow.
See this for how to use bcrypt How do you use bcrypt for hashing passwords in PHP?
And this for an explanation as for why: Secure hash and salt for PHP passwords
You are going to want to hash passwords and not encrypt them. An encryption can be undone with the key. The password the user types in is called the plaintext password, the plaintext password should NEVER be written or stored anywhere.
When something is hashed, it is a one way translation, a hash cannot easily be translated back to its plaintext form, so when someone enters their password, you hash it and then compare it with the hashed password stored in the database.
A few hashing algorithms are MD5, SHA1, etc- in PHP, you can use the crypt function to hash a password. I should note that MD5 and SHA1 are not as secure anymore as they are very fast, which means that they can be brute forced fairly quickly (there are also databases where you can reverse engineer the hashes fairly quickly). You should use PHP's crypt function.
tl;dr - Hash passwords, don't encrypt them (for security, especially eCommerce).
I'm making a registration form, my only doubt is how to handle passwords (how to insert them into MySQL database). I don't have the slightest idea on how to do it, what type of column must Passwords be, whether I must encrypt them somehow, etc. Could you provide a basic example with explanation so that I manage to do it?
You don't want to store the password as-is in plaintext. You don't even want to be able to know what the password is. Therefore, you store a hash of the password in your database. When the user wants to log in, you hash the password he's trying to login with, then compare that to the hash in the database. Any serious password storage system furthermore salts the hash to prevent rainbow table attacks against the password (google that). Since this is a rather complex topic and you apparently have no experience with it at all, I recommend you use phpass to hash and salt your passwords without worrying about the implementation details. The phpass site also has some good introductory articles about the topic. Here's another one that keeps it really simple.
As for the database, that'll just be a normal VARCHAR field long enough to hold the hash.
Read this: http://codahale.com/how-to-safely-store-a-password/
Then do this: http://www.openwall.com/phpass/
You should not store password, password hash only.
Database type should be choose after you will choose hasfunction.
For md5/sha512 it will be char(32) if you will keep hex representation
Query is something like this:
"INSERT INTO users SET otherFields,pass_hash='".hashFunc($_POST['password']."';
where hashFunc generates hash ex
function hashFunc($pass){
$salt='something';
md5($salt . $pass);
}
The only way to safely secure a password is using a Moore's Law-defeating hash function. Use bcrypt!
One of the ways it can be done is by using md5. You convert the password to md5 and put it in the database (md5 encryption is one-way) when the user logs in again you convert the filled in password again and check if the converted password is somewhere to be found in your database (in combination with a username usually).
EDIT
You can make a string into an md5 string with this:
$converted_pass = md5($unconverted_pass);
However you will need to add a so called salt-key to the password before you encrypt it with md5. This is a set of letters/numbers etc. If you do this every time you will have the same result but it will be quite safe :)
I'm starting to create a user system for my website, and what I want to do is to have the passwords encrypted, rather than plaintext. I'm using PHP/MySQL, so I figured crypt() is a good place to start. However, I'm brand new to cryptography like this, and I'm having trouble understanding exactly how it works. Does anybody know how to implement, at the simplest level, a way for passwords to be stored as an encrypted string, but always be able to be decrypted, without a security issue?
Passwords should be hashed, not encrypted. That is, you should not be able to decrpyt the password. Instead, you should compare hashes.
User sets password $password = 'hX4)1z'
You get hash of password and store to DB:
#
$pw = hash_hmac('sha512', 'salt' . $password, $_SERVER['site_key']);
mysql_query('INSERT INTO passwords (pw) VALUES ('$pw');
Customer comes back later. They put in their password, and you compare it:
#
mysql_query('SELECT pw FROM passwords WHERE user_id = ?');
//$pw = fetch
if ($pw == hash_hmac('sha512', 'salt' . $_REQUEST['password'], $_SERVER['site_key']) {
echo "Logged in";
}
PHP has some built-in has functions, such as md5(). When I was learning I found IBM's primer very useful - I'd highly recommend looking at that.
As an aside, I would advise against being able to decrypt a password. The only person who should know their password is a user! This is why we store hashed versions of passwords which we can check against, rather than storing encrypted passwords which can be decrypted..
I notice people make huge deals about storing passwords.
Agreed you shouldn't store passwords as plain texts, but if you store the one way hash and get rid of the password, hackers can still using algorithms to hack a hash hashing strings and comparing.
Also, if you encrypt with an algorithm that you can decrypt later, that can also be hacked by figuring out the algorithm of the encryption.
I think as long as no one can see the users' passwords outright and you simply make it difficult for hackers you're good, but people say you shouldn't encrypt because it can be decrypted but that's not fair because anything can be hacked.
Use md5 instead
http://php.net/manual/en/function.md5.php
http://en.wikipedia.org/wiki/Md5
You can use md5 or better hashing technique like sha1
See password hashing http://phpsec.org/articles/2005/password-hashing.html for more details.
I suggest using SHA2 with a salt to store your password.
To create a SHA2 hash, use this:
$hash = hash("sha512", $password.$salt);
A salt contains some extra characters to add to your password before hasing to prevent rainbow tables (databases of passwords and it's hashes). You can create one using a unique user info (like a user_id) or just create a random one and store it somewhere. Just make sure the salt is long enough.
Don't make use of MD5 anymore; it's old. See http://en.wikipedia.org/wiki/MD5#Collision_vulnerabilities for more info.
EDIT: These are one-way hashing algoritms. You can and should not be able to decrypt a password. If you can, then there is no point in using a hash to store passwords.
No, there is always going to be a security issue with regards to where you store the encryption password. This is why websites never store the hash of the password and not the password itself. When someone registers at your website and they enter the password, you store the hash (MD5 or SHA1 or whatever, as mentioned above) of the password. When they log in later you again hash the password they entered (by the same method used when storing it) and compare. If the hashes are the same then the passwords are the same (with a very high probability!) Any website that lets you recover your password is an insecure website.
Please try to search StackOverflow before asking a question. Many questions are already answered. For example:
PHP & MySQL compare password
how do I create a mySQL user with hash(‘sha256’, $salt . $password)?
Secure hash and salt for PHP passwords
User Login with a single query and per-user password salt
Non-random salt for password hashes
Hi
I want that nobody can see my password even in database..
So i used hash function like this
$passowrd_hash=hash('shal',$_POST['password']);
Now easily I can store this password_hash value into database. It will be something like in encrypted form.
Now user know its original password he don't know this encrypted password.
Now if he try to login through this original password..He is not able to login.
So is there any method so that it can be decrypted and user can make log in. So he can achieve both security of password as well as login again.
How to do this?
you need to hash the user input password and compare hashes.
Before comparing the posted password by the user with the one in the database, encrypt the posted password the same way as the stored password.
All you need to do is encrypt the password you type in and compare the two; the hash in the database and the one you just encrypted. If they match then the password entered is the right one. I am assuming you are using an algorithm like SHA1.
As already answered, you need to hash the password every time they re-enter it and compare the hash to what is in your database.
You ALSO should look into using salt in your hashing algorithm. There is a good deal of discussion in this question:
Secure hash and salt for PHP passwords
You dont need to decrypt it. You cannot convert back a hash to a plain text, its a one way function. So, basically you hash the input password and compare the two hash:
E.g (pseudo code):-
if hash(password entered by user) == password stored in databse Then
//logged in successfully
else
//login failed
end if
I highly recommend using md5() http://php.net/manual/en/function.md5.php.
When the user signs up, you store:
$password = md5($_POST['password']);
And when the user logs in you check:
if($_POST['password_entered'] == $passwordFromDB) :
// Log user in
else :
// Show error to user
endif;