0

I need the expertise here, i been through many resources yet could not find the answer.

i am working on simple a login script with user registration, but could not find much help/

i would like to use 3des encryption on the passwords for new user registration, and able to login after registering.

user1598675
  • 1
  • 3
    No. You do not want to use encryption. Passwords should be salted and hashed. Use bcrypt or scypt or PBKDFv2. – SLaks Aug 14 '12 at 16:51
  • I suggest you read up on good password storage practices. http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords/401684 – Robert K Aug 14 '12 at 17:15
  • Hi all, i need to know how to use 3des encryption on password quite desperately, it's not for production but more for my school coursework – user1598675 Aug 21 '12 at 17:06

1 Answers1

0

The commenter is correct, you do not encrypt passwords. You prepend a salt string that is created for the user (or a constant one for your app) to the password. You then hash the password with SHA1 or a better hashing algorithm. You store the hashed value and the salt (if it is per user). When the user authenticates, you take the password they give you, prepend the salt and hash that. Compare that to what was stored and if they match they used the correct password.

Better explanation here: http://phpsec.org/articles/2005/password-hashing.html

Erik Nedwidek
  • 6,134
  • 1
  • 25
  • 25
  • Or use bcrypt. Even SHA1 with unique salts per-user is pretty quick to crack now. – Robert K Aug 14 '12 at 17:16
  • Add 10,000 rounds to it then. Hardly a blip when checking or generating for one account but adds 10,000x to brute forcing. This is what the good password manager programs now do. – Rik Aug 15 '12 at 14:44