0

I'm working on a PHP based project. I want to secure passwords using my machine's private key - something one shouldn't be giving away anyway. So I thought it might be a good idea. However, the OpenSSL API within PHP is a bit confusing.

Can someone point out a way I can store and later validate a user's password? With "store", I mean that during the user's registration, the password entry is created and stored, and with "validate" I was meaning to pick up the password and validate it against the entered string.

I tried to find a Composer library, but my installation of PHP is missing ext-mcrypt since I did not compile it in.

jww
  • 97,681
  • 90
  • 411
  • 885
Ingwie Phoenix
  • 2,703
  • 2
  • 24
  • 33
  • 4
    Do not *encrypt* passwords. [Hash them](http://php.net/manual/en/ref.password.php). – Mathew Tinsley Jun 28 '15 at 17:03
  • 1
    @mtinsley I see `password_hash` in there. How do I validate a password against this function's value? – Ingwie Phoenix Jun 28 '15 at 18:23
  • 1
    @mtinsley NVM, I [found it](http://php.net/manual/de/function.password-verify.php). – Ingwie Phoenix Jun 28 '15 at 19:35
  • What platform are you on (Windows, Linux, BSD, etc)? On Windows, machines are security principals and they have a RSA keypair. I don't believe Linux has the same. Also, on Windows, it is recommended you use [DPAPI](https://msdn.microsoft.com/en-us/library/ms995355.aspx) or [Isolated Storage](https://msdn.microsoft.com/en-us/library/3ak841sy%28v=vs.110%29.aspx). You should not (and cannot) use the machine's keypair directly. – jww Jun 28 '15 at 21:59
  • Outside of *"... using OpenSSL"* in the title, you really don't mention OpenSSL or how you are using it. Should this be tagged with OpenSSL? If so, talk about something OpenSSL related, like how you are trying to use an *Engine* to connect to a security service on Windows. – jww Jun 28 '15 at 22:02

0 Answers0