0

I'm using data from another server (not my server) and I need to login to this server. So I need to know password for every user account. I need to send this password to the server through HTTP request (no problem). But the server expect unsecure password.

So if the password is '123456' I have to send POST request with data: 

"username=user&password=123456"

I can not use md5 function because after it I am not able to get back the password so my question is how can I encode this password? Is exists some common PHP function for this? For example: 

$securePassword = php_encode("123456", "mykey")
php_decode($securePassword, "mykey")

Because I just do not want to store to my database "123456"

Lodhart
  • 205
  • 1
  • 6
  • 14
  • This is really REALLY insecure... also sending it by post... – Legionar Nov 05 '13 at 13:32
  • you need to be able to do the operations when the user is offline? If you don't then you can simply store the password in session. – Antonio E. Nov 05 '13 at 13:36
  • Yes, this password will be store into database just once and after it there will be some script which will be running every day automaticaly (without user). – Lodhart Nov 05 '13 at 14:13

6 Answers6

1

The point of a hash is that you can't un-encrypt it. To check if someone entered a correct password, hash what they typed in and compare it to the hash of their password in the database. If it matches, the password is right; otherwise, it's wrong. Also, as long as you use SSL and a decent hash algorithm, you should be secure.

woz
  • 10,888
  • 3
  • 34
  • 64
1

If you have PHP >5.5, you can use the function password_hash. If you have a lower version that is bigger than PHP 5.3.7, you should use password compat.

Wayne Whitty
  • 19,513
  • 7
  • 44
  • 66
1

Use mcrypt_encrypt() and mcrypt_decrypt()
for more info SO POST

Community
  • 1
  • 1
pratim_b
  • 1,160
  • 10
  • 29
  • This is propably what I need. The best think what I can do is secure password on my side (in my database), because there is NOT other way how to send password to this server then POST method. – Lodhart Nov 05 '13 at 14:04
  • @Lodhart happy to hear it helped. Well but I believe no algorithm is unbreakable. – pratim_b Nov 05 '13 at 14:17
0

What you are looking for is not how to secure the password but how to secure the transport of the password. You do this using Transport Layer Security, aka TLS aka SSL.

That said, transmitting a password in this fashion isn't really advised and a better mechanism should probably be devised. If you encrypt or hash the password and transmit the cipher text this offers no protection at all because an attacker would simply send cipher text just as you would.

You need to encrypt the data in transit. Get SSL setup on your site.

Scott Helme
  • 4,786
  • 2
  • 23
  • 35
  • I know, I know, terrible idea to send password through POST request. But the other server is not my and if I want to use SSL, the other server must support the SSL, right? Problém is that I have a very limited information about the other server. – Lodhart Nov 05 '13 at 14:08
  • Yes the other server would need SSL. If it could handle comms over SSL then you *could* send the password in plain text and not worry too much but you *shoudln't* ever do that. It should always be hashed (and salted). If this really is your situation then you would appear to have little choice. Just understand that even if the password was encrypted/hashed then an attacker would just send the hashed password like you do. They can still impersonate you easily without knowing what the password is. – Scott Helme Nov 05 '13 at 14:12
  • I really understand, does not matter WHAT you sent, if it is just POST request you can simply catch HTTP communication and use it. Problem is that I can not affect it. The POST req. is only one way how can I get data from this server. So I just want to encode password in my database because I'm not only one who has access to database. – Lodhart Nov 05 '13 at 14:19
  • If others have access to your database then you need to encrypt data on the way in and then decrypt it on the way out. You also need to store the key somewhere that others can't access it or use a protected API to fetch/place data from/to the db. – Scott Helme Nov 05 '13 at 15:08
0

Have a look at below 2 functions

http://www.php.net/manual/en/function.mcrypt-encrypt.php and http://www.php.net/manual/en/function.mcrypt-decrypt.php.

Ramesh
  • 4,223
  • 2
  • 16
  • 24
0

There is a reason passwords are hashed instead of encrypted. You cannot decrypt a hash. Generally the convention is to do the following:

Create Password

  1. Send the new password to the server
  2. Hash the password
  3. Store the hash in the database

Check Password

  1. Send the password to the server
  2. Hash the password
  3. Check if the hash matches the hash stored in the database

For this you should use something like SHA256:

// check password
$hash = hash('sha256', $password);
$db_hash = db_get_password($username, ...);
if ($hash == $db_hash) { 
    // correct password
}
azz
  • 5,852
  • 3
  • 30
  • 58
  • I know this principle and I'm using it on my server. But I need to get content form another server and to get content I need to login (everything by PHP). I triggered data between browser and server to understand how to login and I need to send POST req. with login and password. That is what I know about the second server. – Lodhart Nov 05 '13 at 13:58