Hi All,

Up until now I have been storing passwords in the database as an sha1 hash.
I like doing it this way, but a problem arises with people who forget their
passwords - I cannot retrieve it for them.

The simplest option would be cleartext passwords. Easy enough. But what I
would prefer to do is some sort of two-way encryption, so I can encrypt the
passwords, store them in the database, and then get them back. Are there
any PHP libraries out there that can do this? I have thought about rolling
my own, but do not want to duplicate somebody else's effort.

A cursory look for this sort of thing returned only one-way (hashing)
encryption techniques. This leaves me back where I was, having to reset
users passwords, rather than emailing it back to them.

I am not running a banking application here, so I am not too paranoid about
security. But, it would be nice to have some reasonable level of encryption
that is harder than rot13 to break.

Thoughts?

-Josh

Joshua Beall wrote:
[color=blue]
> Hi All,
>
> Up until now I have been storing passwords in the database as an sha1
> hash. I like doing it this way, but a problem arises with people who
> forget their passwords - I cannot retrieve it for them.
>
> The simplest option would be cleartext passwords. Easy enough. But what
> I would prefer to do is some sort of two-way encryption, so I can encrypt
> the
> passwords, store them in the database, and then get them back. Are there
> any PHP libraries out there that can do this? I have thought about
> rolling my own, but do not want to duplicate somebody else's effort.
>
> A cursory look for this sort of thing returned only one-way (hashing)
> encryption techniques. This leaves me back where I was, having to reset
> users passwords, rather than emailing it back to them.
>
> I am not running a banking application here, so I am not too paranoid
> about
> security. But, it would be nice to have some reasonable level of
> encryption that is harder than rot13 to break.
>
> Thoughts?
>
> -Josh[/color]
http://php.net/crypt

"Brendan Donahue" <wizard@wizardsofwebsites.com> wrote in message
news:K9-dnbGElvcrRRfd4p2dnA@comcast.com...[color=blue]
> Joshua Beall wrote:[color=green]
> > what I would prefer to do is some sort of two-way encryption[/color][/color]
<snip>
[color=blue]
> http://php.net/crypt[/color]

From the PHP manual:

"crypt -- One-way string encryption (hashing) "

I am looking two way encryption solutions, as I clearly stated in the OP.

Any pointers?

In article <_tAic.65561$L31.5100@nwrddc01.gnilink.net>, Joshua Beall wrote:[color=blue]
> Up until now I have been storing passwords in the database as an sha1 hash.
> I like doing it this way, but a problem arises with people who forget their
> passwords - I cannot retrieve it for them.
>
> The simplest option would be cleartext passwords. Easy enough.[/color]

Imho, there is a simpler solution. Don't recover the password, but
generate a new one for them.
[color=blue]
> But what I
> would prefer to do is some sort of two-way encryption, so I can encrypt the
> passwords, store them in the database, and then get them back. Are there
> any PHP libraries out there that can do this? I have thought about rolling
> my own, but do not want to duplicate somebody else's effort.[/color]

With GnuPG / PGP you could put your public key on the server. Now write
a script that uses that public key to encrypt the data. And whenever you
need to decrypt the data, use your private key.

--
http://home.mysth.be/~timvw

http://us2.php.net/manual/en/ref.mcrypt.php


"Joshua Beall" <jbeall@donotspam.remove.me.heraldic.us> wrote in message news:<_tAic.65561$L31.5100@nwrddc01.gnilink.net>.. .[color=blue]
> Hi All,
>
> Up until now I have been storing passwords in the database as an sha1 hash.
> I like doing it this way, but a problem arises with people who forget their
> passwords - I cannot retrieve it for them.
>
> The simplest option would be cleartext passwords. Easy enough. But what I
> would prefer to do is some sort of two-way encryption, so I can encrypt the
> passwords, store them in the database, and then get them back. Are there
> any PHP libraries out there that can do this? I have thought about rolling
> my own, but do not want to duplicate somebody else's effort.
>
> A cursory look for this sort of thing returned only one-way (hashing)
> encryption techniques. This leaves me back where I was, having to reset
> users passwords, rather than emailing it back to them.
>
> I am not running a banking application here, so I am not too paranoid about
> security. But, it would be nice to have some reasonable level of encryption
> that is harder than rot13 to break.
>
> Thoughts?
>
> -Josh[/color]

Take a look at http://www.tonymarston.co.uk/php-mysql/encryption.html which
describes a reversible encryption routine for PHP. There is an online test
harness so you can see it working, and you have access to the code as well.

HTH.

--
Tony Marston

http://www.tonymarston.net



"Joshua Beall" <jbeall@donotspam.remove.me.heraldic.us> wrote in message
news:_tAic.65561$L31.5100@nwrddc01.gnilink.net...[color=blue]
> Hi All,
>
> Up until now I have been storing passwords in the database as an sha1[/color]
hash.[color=blue]
> I like doing it this way, but a problem arises with people who forget[/color]
their[color=blue]
> passwords - I cannot retrieve it for them.
>
> The simplest option would be cleartext passwords. Easy enough. But what[/color]
I[color=blue]
> would prefer to do is some sort of two-way encryption, so I can encrypt[/color]
the[color=blue]
> passwords, store them in the database, and then get them back. Are there
> any PHP libraries out there that can do this? I have thought about[/color]
rolling[color=blue]
> my own, but do not want to duplicate somebody else's effort.
>
> A cursory look for this sort of thing returned only one-way (hashing)
> encryption techniques. This leaves me back where I was, having to reset
> users passwords, rather than emailing it back to them.
>
> I am not running a banking application here, so I am not too paranoid[/color]
about[color=blue]
> security. But, it would be nice to have some reasonable level of[/color]
encryption[color=blue]
> that is harder than rot13 to break.
>
> Thoughts?
>
> -Josh
>
>[/color]

"Tony Marston" <tony@NOSPAM.demon.co.uk> wrote in message
news:c6g7a9$543$1$8300dec7@news.demon.co.uk...[color=blue]
> Take a look at http://www.tonymarston.co.uk/php-mysql/encryption.html[/color]
which[color=blue]
> describes a reversible encryption routine for PHP. There is an online test
> harness so you can see it working, and you have access to the code as[/color]
well.

After a cursory look, I think this is exactly the sort of thing I need.
Thanks much!

Hi Joshua,

two possible solutions:

1) have people remember their passwords or they will have to live with
new ones.
2) or start up a bank. :)


P.S. You may wanna store passwords in plaintext since you are not
running a bank. If the database gets compromised the attacker will
very likely not be interested in your passwords (since s/he already
posesses system wide access)

Best Regards,

Lucas


"Joshua Beall" <jbeall@donotspam.remove.me.heraldic.us> wrote in message news:<_tAic.65561$L31.5100@nwrddc01.gnilink.net>.. .[color=blue]
> Hi All,
>
> Up until now I have been storing passwords in the database as an sha1 hash.
> I like doing it this way, but a problem arises with people who forget their
> passwords - I cannot retrieve it for them.
>
> The simplest option would be cleartext passwords. Easy enough. But what I
> would prefer to do is some sort of two-way encryption, so I can encrypt the
> passwords, store them in the database, and then get them back. Are there
> any PHP libraries out there that can do this? I have thought about rolling
> my own, but do not want to duplicate somebody else's effort.
>
> A cursory look for this sort of thing returned only one-way (hashing)
> encryption techniques. This leaves me back where I was, having to reset
> users passwords, rather than emailing it back to them.
>
> I am not running a banking application here, so I am not too paranoid about
> security. But, it would be nice to have some reasonable level of encryption
> that is harder than rot13 to break.
>
> Thoughts?
>
> -Josh[/color]

"Joshua Beall" <jbeall@donotspam.remove.me.heraldic.us> wrote in message
news:_tAic.65561$L31.5100@nwrddc01.gnilink.net...[color=blue]
> Hi All,
>
> I am not running a banking application here, so I am not too paranoid[/color]
about[color=blue]
> security. But, it would be nice to have some reasonable level of[/color]
encryption[color=blue]
> that is harder than rot13 to break.[/color]

Something like this would work:

define(A, '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklm nopqrstuvwxyz');
define(B, 'fo2gFeBMQ45Vl3sDp1HGTYbz7vWdikU86taqSPE0muZOj9cKr xRLnJXhwyCIAN');
// str_shuffle(A)

function lamefish($text, $decrypt = false) {
return $decrypt ? strtr($text, B, A) : strtr($text, A, B);
}

Should be very hard to break if the passwords are strong.