MySQL PHP: When I automatically add users, how to encrypt their passwords

Question

Preface: Making a simple ecommerce website. Users are automatically added, when they register, via registration page. I want to automatically encrypt their passwords.

Problem: The MySQL website shows how to use AES_ECRYPT, but it seems like it's for Terminal-type settings where the Admin would manually do this.

I want to add some code to register.php to make it automatically encrypted.

Thanks!

Check the related posts. Search is your friend. This forum is for answering questions where you have tried something yourself. — , Apr 07 '14 at 00:42
You should be using `bcrypt` to hash passwords. See this for how: http://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php and this for why: http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords — AJReading, Apr 07 '14 at 01:16

score 0 · Answer 1 · edited May 23 '17 at 10:33

As the other answers have stated, you should not encrypt your passwords. They should be hashed.

They should NOT use MD5 or SHA

You SHOULD use bcrypt

Encryption should not be used because you never want to be able to decrypt the values and see the passwords, because hackers could also do the same.

Hashes are like one way encryption, you create a hash, and when logging in, you hash the password they entered on login and compare it against the stored hash.

MD5 and SHA are not suitable for this anymore as computers are faster and faster they can hash dictionary words and common passwords at a rate of 60+ billion per second to try to get your passwords.

This topic has been covered to death on StackOverflow.

See this for how to use bcrypt How do you use bcrypt for hashing passwords in PHP?

And this for an explanation as for why: Secure hash and salt for PHP passwords

score -1 · Accepted Answer · answered Apr 07 '14 at 00:56

You are going to want to hash passwords and not encrypt them. An encryption can be undone with the key. The password the user types in is called the plaintext password, the plaintext password should NEVER be written or stored anywhere.

When something is hashed, it is a one way translation, a hash cannot easily be translated back to its plaintext form, so when someone enters their password, you hash it and then compare it with the hashed password stored in the database.

A few hashing algorithms are MD5, SHA1, etc- in PHP, you can use the crypt function to hash a password. I should note that MD5 and SHA1 are not as secure anymore as they are very fast, which means that they can be brute forced fairly quickly (there are also databases where you can reverse engineer the hashes fairly quickly). You should use PHP's crypt function.

tl;dr - Hash passwords, don't encrypt them (for security, especially eCommerce).

SHA1 and MD5 are not secure at all with todays computing power and brute force attacks using rainbow tables, and should **not** be used. bcrypt is designed for password hashing and is the only way to do it. — AJReading, Apr 07 '14 at 01:18
Thank you!! I searched but didn't know I had to search for "bcrypt". Thanks again! — Camellia Wunderbar, Apr 07 '14 at 02:23

MySQL PHP: When I automatically add users, how to encrypt their passwords

2 Answers2