By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
454,721 Members | 1,468 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 454,721 IT Pros & Developers. It's quick & easy.

Two way encryption with PHP - some libraries for doing this?

P: n/a
Hi All,

Up until now I have been storing passwords in the database as an sha1 hash.
I like doing it this way, but a problem arises with people who forget their
passwords - I cannot retrieve it for them.

The simplest option would be cleartext passwords. Easy enough. But what I
would prefer to do is some sort of two-way encryption, so I can encrypt the
passwords, store them in the database, and then get them back. Are there
any PHP libraries out there that can do this? I have thought about rolling
my own, but do not want to duplicate somebody else's effort.

A cursory look for this sort of thing returned only one-way (hashing)
encryption techniques. This leaves me back where I was, having to reset
users passwords, rather than emailing it back to them.

I am not running a banking application here, so I am not too paranoid about
security. But, it would be nice to have some reasonable level of encryption
that is harder than rot13 to break.

Thoughts?

-Josh
Jul 17 '05 #1
Share this Question
Share on Google+
8 Replies


P: n/a
Joshua Beall wrote:
Hi All,

Up until now I have been storing passwords in the database as an sha1
hash. I like doing it this way, but a problem arises with people who
forget their passwords - I cannot retrieve it for them.

The simplest option would be cleartext passwords. Easy enough. But what
I would prefer to do is some sort of two-way encryption, so I can encrypt
the
passwords, store them in the database, and then get them back. Are there
any PHP libraries out there that can do this? I have thought about
rolling my own, but do not want to duplicate somebody else's effort.

A cursory look for this sort of thing returned only one-way (hashing)
encryption techniques. This leaves me back where I was, having to reset
users passwords, rather than emailing it back to them.

I am not running a banking application here, so I am not too paranoid
about
security. But, it would be nice to have some reasonable level of
encryption that is harder than rot13 to break.

Thoughts?

-Josh

http://php.net/crypt
Jul 17 '05 #2

P: n/a
"Brendan Donahue" <wi****@wizardsofwebsites.com> wrote in message
news:K9********************@comcast.com...
Joshua Beall wrote:
what I would prefer to do is some sort of two-way encryption
<snip>
http://php.net/crypt


From the PHP manual:

"crypt -- One-way string encryption (hashing) "

I am looking two way encryption solutions, as I clearly stated in the OP.

Any pointers?
Jul 17 '05 #3

P: n/a
In article <_t******************@nwrddc01.gnilink.net>, Joshua Beall wrote:
Up until now I have been storing passwords in the database as an sha1 hash.
I like doing it this way, but a problem arises with people who forget their
passwords - I cannot retrieve it for them.

The simplest option would be cleartext passwords. Easy enough.
Imho, there is a simpler solution. Don't recover the password, but
generate a new one for them.
But what I
would prefer to do is some sort of two-way encryption, so I can encrypt the
passwords, store them in the database, and then get them back. Are there
any PHP libraries out there that can do this? I have thought about rolling
my own, but do not want to duplicate somebody else's effort.


With GnuPG / PGP you could put your public key on the server. Now write
a script that uses that public key to encrypt the data. And whenever you
need to decrypt the data, use your private key.

--
http://home.mysth.be/~timvw
Jul 17 '05 #4

P: n/a
http://us2.php.net/manual/en/ref.mcrypt.php
"Joshua Beall" <jb****@donotspam.remove.me.heraldic.us> wrote in message news:<_t******************@nwrddc01.gnilink.net>.. .
Hi All,

Up until now I have been storing passwords in the database as an sha1 hash.
I like doing it this way, but a problem arises with people who forget their
passwords - I cannot retrieve it for them.

The simplest option would be cleartext passwords. Easy enough. But what I
would prefer to do is some sort of two-way encryption, so I can encrypt the
passwords, store them in the database, and then get them back. Are there
any PHP libraries out there that can do this? I have thought about rolling
my own, but do not want to duplicate somebody else's effort.

A cursory look for this sort of thing returned only one-way (hashing)
encryption techniques. This leaves me back where I was, having to reset
users passwords, rather than emailing it back to them.

I am not running a banking application here, so I am not too paranoid about
security. But, it would be nice to have some reasonable level of encryption
that is harder than rot13 to break.

Thoughts?

-Josh

Jul 17 '05 #5

P: n/a
Take a look at http://www.tonymarston.co.uk/php-mysql/encryption.html which
describes a reversible encryption routine for PHP. There is an online test
harness so you can see it working, and you have access to the code as well.

HTH.

--
Tony Marston

http://www.tonymarston.net

"Joshua Beall" <jb****@donotspam.remove.me.heraldic.us> wrote in message
news:_t******************@nwrddc01.gnilink.net...
Hi All,

Up until now I have been storing passwords in the database as an sha1 hash. I like doing it this way, but a problem arises with people who forget their passwords - I cannot retrieve it for them.

The simplest option would be cleartext passwords. Easy enough. But what I would prefer to do is some sort of two-way encryption, so I can encrypt the passwords, store them in the database, and then get them back. Are there
any PHP libraries out there that can do this? I have thought about rolling my own, but do not want to duplicate somebody else's effort.

A cursory look for this sort of thing returned only one-way (hashing)
encryption techniques. This leaves me back where I was, having to reset
users passwords, rather than emailing it back to them.

I am not running a banking application here, so I am not too paranoid about security. But, it would be nice to have some reasonable level of encryption that is harder than rot13 to break.

Thoughts?

-Josh

Jul 17 '05 #6

P: n/a
"Tony Marston" <to**@NOSPAM.demon.co.uk> wrote in message
news:c6*******************@news.demon.co.uk...
Take a look at http://www.tonymarston.co.uk/php-mysql/encryption.html which describes a reversible encryption routine for PHP. There is an online test
harness so you can see it working, and you have access to the code as

well.

After a cursory look, I think this is exactly the sort of thing I need.
Thanks much!
Jul 17 '05 #7

P: n/a
Hi Joshua,

two possible solutions:

1) have people remember their passwords or they will have to live with
new ones.
2) or start up a bank. :)
P.S. You may wanna store passwords in plaintext since you are not
running a bank. If the database gets compromised the attacker will
very likely not be interested in your passwords (since s/he already
posesses system wide access)

Best Regards,

Lucas
"Joshua Beall" <jb****@donotspam.remove.me.heraldic.us> wrote in message news:<_t******************@nwrddc01.gnilink.net>.. .
Hi All,

Up until now I have been storing passwords in the database as an sha1 hash.
I like doing it this way, but a problem arises with people who forget their
passwords - I cannot retrieve it for them.

The simplest option would be cleartext passwords. Easy enough. But what I
would prefer to do is some sort of two-way encryption, so I can encrypt the
passwords, store them in the database, and then get them back. Are there
any PHP libraries out there that can do this? I have thought about rolling
my own, but do not want to duplicate somebody else's effort.

A cursory look for this sort of thing returned only one-way (hashing)
encryption techniques. This leaves me back where I was, having to reset
users passwords, rather than emailing it back to them.

I am not running a banking application here, so I am not too paranoid about
security. But, it would be nice to have some reasonable level of encryption
that is harder than rot13 to break.

Thoughts?

-Josh

Jul 17 '05 #8

P: n/a
"Joshua Beall" <jb****@donotspam.remove.me.heraldic.us> wrote in message
news:_t******************@nwrddc01.gnilink.net...
Hi All,

I am not running a banking application here, so I am not too paranoid about security. But, it would be nice to have some reasonable level of encryption that is harder than rot13 to break.


Something like this would work:

define(A, '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklm nopqrstuvwxyz');
define(B, 'fo2gFeBMQ45Vl3sDp1HGTYbz7vWdikU86taqSPE0muZOj9cKr xRLnJXhwyCIAN');
// str_shuffle(A)

function lamefish($text, $decrypt = false) {
return $decrypt ? strtr($text, B, A) : strtr($text, A, B);
}

Should be very hard to break if the passwords are strong.
Jul 17 '05 #9

This discussion thread is closed

Replies have been disabled for this discussion.