3

How can i encrypt my password on codeigniter. Here is my code 

$password = $this->security->xss_clean($this->input->post('password'));

How to make it md5?

John Conde
  • 217,595
  • 99
  • 455
  • 496
ricky
  • 77
  • 1
  • 6
  • 1
    Possible duplicate: http://stackoverflow.com/questions/16846918/codeigniter-password-encryption-and-validation ? – Maximus2012 May 18 '15 at 21:58
  • 2
    md5 is very bad choice. – SaidbakR May 18 '15 at 23:06
  • Also, don't XSS-clean passwords as that may remove characters from it and therefore decrease security. You gain nothing by applying XSS sanitization to something that you'd hash anyway. – Narf May 19 '15 at 21:10

1 Answers1

1

To do specifically what you need, the following code will work:

$password = md5($this->security->xss_clean($this->input->post('password')));

However, as has been stated in the comments, md5 is a very bad choice for storing passwords, and it should be avoided at all costs. You should also avoid sha1 and anything else which is quick to hash with. For more information, check out Jeff Atwood's blog post, your password is too damn short. Specifically the following part :

And for developers:

Pick your new password hash algorithms carefully, and move all your old password hashing systems to much harder to calculate hashes. You need hashes that are specifically designed to be hard to calculate on GPUs, like scrypt.

Even if you pick the "right" hash, you may be vulnerable if your work factor isn't high enough. Matsano recommends the following:

scrypt: N=2^14, r=8, p=1

bcrypt: cost=11

PBKDF2 with SHA256: iterations=86,000

But those are just guidelines; you have to scale the hashing work to what's available and reasonable on your servers or devices. For example, we had a minor denial of service bug in Discourse where we allowed people to enter up to 20,000 character passwords in the login form, and calculating the hash on that took, uh … several seconds.

The post also covers just how quickly attempts to crack the passwords can be made for any given hash algorithm (in tries per second)

  • NTLM = 350,000,000,000
  • MD5 = 180,000,000,000
  • SHA1 = 63,000,000,000
  • SHA512Crypt = 364,000
  • bCrypt = 71,000

Obviously the lower the amount of tries per second which can be performed, the more time it takes to break the hashing.

With that in mind, please re-consider your hashing choice for your application and make it use sensible hashing for passwords

gabe3886
  • 4,235
  • 3
  • 27
  • 31
  • 1
    If that's not working, use your initial line, then on the line below do `$password = md5($password);`. Sometimes you need to do things in two steps. That aside, have you reconsidered storing the password as an MD5 hash? – gabe3886 May 19 '15 at 17:59
  • Thanks a lot :) Can you please help me how can i check my login status on my site. For example session->set_userdata($data);){ redirect to my home} else {redirect to login}. Should i write it on home page starting. is my code is okay? Advanced thanks – ricky May 19 '15 at 18:05