0

I have recently been making a user admin site with one single login to edit/change aspects of the site. I tried to make a change password page so the user is obviously able to change password if desired, i was messing around with this and have completely messed up my md5 and salt encryption to the point i wasn't able to log in anymore.

In my database in the password row i had the long character hex number displayed (which corresponded to the password i was putting into the site to log in, the md5 function changed this) with this, i deleted the longer password from the database (as it was no longer working) and put back in my actual password... thus i was able to log in again, but have no security on my password... i have no idea how to get the security back?

My encrypt page still stands but is now useless...

<?php

    function encrypt($password){
        $salt1="egf";
        $salt2="7yh";
        $password = md5($salt1 . $password . $salt2);
        return $password;
    }

?>

Please help, any advice would be appreciated! Thank you

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
user3178755
  • 1
  • 2
  • so what's the problem? feed your password into that function, take the returned hash, and stuff that into your database. If your login function accepts both plaintext AND hashed passwords, then you've got a serious problem. Passwords should **NEVER** be stored in a retrievable fashion. – Marc B Jan 09 '14 at 21:00
  • If having your password in the database in cleartext is allowing you to log in, there's a lot more wrong than your encrypt() function (which itself is syntactically fine) – Brian A. Henning Jan 09 '14 at 21:00
  • 1
    Static salt is as good as no salt, also `md5` shouldn't be used for password encryption, as it is a hash method – kero Jan 09 '14 at 21:01
  • 1
    ...it's an "outdated" and "too fast" a method. Hashing is better than encrypting, however `md5` dates back to 1996 and should not be used. – Funk Forty Niner Jan 09 '14 at 21:03
  • @Fred-ii- Could you elaborate or link on what you mean by better? Thinking about it, it seems obvious though - encrypting requires a key and content, whereas with a password you only have one of those - am I right? – kero Jan 09 '14 at 21:12
  • 1
    Here you go: http://www.php.net/manual/en/faq.passwords.php and http://stackoverflow.com/questions/326699/difference-between-hashing-a-password-and-encrypting-it @kingkero – Funk Forty Niner Jan 09 '14 at 21:16
  • 2
    @king Hashing certainly is the way to go, because it is *non-reversible*. You couldn't get the plaintext password from it even if you tried. Encryption on the other is reversible. Only MD5 is not a good hash, it's broken. – deceze Jan 09 '14 at 21:16
  • 2
    So why can't you just create a new password and regenerate the md5 hash, then manually insert into DB? By the way as others have pointed out, you are not using a recommended password hashing approach. You should strongly consider PHP's `password_hash()` function. – Mike Brant Jan 09 '14 at 21:26
  • What I suggest is this. You setup a new password method, then a mailing function where you could send your site's users a link to reset their passwords using the latest technology, explaining but not saying the "why" reason, that "in order to better protect yourself, you need to reset your password every X-number of days." etc. etc. --- I found out a few months ago, that many (well-known) websites, are still storing passwords in plain text; I gawked. So, an ounce of prevention... dot/dot/dot. If a website is able to send you your password, I suggest you get off that site now. – Funk Forty Niner Jan 09 '14 at 21:32
  • this is for a university project, I've been studying php for no more than 2 months, sorry I'm an ammetuer! I've printed out another md5 hex and put that into my database... still no luck – user3178755 Jan 09 '14 at 21:32
  • [md5 Hash Generator](http://www.miraclesalad.com/webtools/md5.php). By the way, WordPress still uses salted MD5 hashes for passwords, and this is the MD5 generator they link to in their [instructions for resetting a password via the DB](http://codex.wordpress.org/Resetting_Your_Password). Don't forget to store the salts. You'll need those again. – Marcus Adams Jan 09 '14 at 21:36
  • if you don't have PHP 5.5 available strongly consider using IRCMaxwell's compatibility library. https://github.com/ircmaxell/password_compat It works very well, and I would recommend it. and as others are saying, don't use MD5 – Andrew Brown Jan 09 '14 at 21:37
  • Also, as others have hinted at, salts are random, not secret. – Marcus Adams Jan 09 '14 at 21:42
  • thank you all for your help, and i understand i would never use md5 if it were for a company! – user3178755 Jan 09 '14 at 21:54

1 Answers1

2

Let's look at your code piecewise:

function encrypt($password){ // You're not encrypting here at all!
    $salt1="egf"; // Not a salt
    $salt2="7yh"; // Not a salt
    $password = md5($salt1 . $password . $salt2); // MD5 is insecure
    return $password; // Why set to variable then return?
}

It seems like you're failing to understand some fundamental cryptography concepts.

  • Encrypting is a two-way process; you don't encrypt passwords, you hash them with a password hashing function (e.g. scrypt, bcrypt, PBKDF2-SHA256).
  • MD5 is a terrible choice; it's a general purpose cryptographic hash function not meant for passwords.
  • Salts must be unique per user. Having a static prefix and suffix is more akin to a pepper, which is controversial among security experts and many (myself included) view peppers as security through obscurity.

Solution: Use password_hash() and password_verify(). It was designed by experts for this exact use case.

If you're on an older version of PHP than 5.5.0, please upgrade. If that's out of your hands, complain to your hosting provider and then use password_compat.

Don't roll your own password storage scheme.

Community
  • 1
  • 1
Scott Arciszewski
  • 33,610
  • 16
  • 89
  • 206