1

Note: I am a student and I need this in a project of my own

I've seen here a way of encrypting data in php

My question is: should I store encrypted password into the database and decrypt it once someone logs-in and check if they are alike?

Also, should I use some other security layer on database to ensure that the data is safe? Some MySql self encryption or something like that?

I need a basic encryption that could do this. I know there are several threads about this, but my question is how to do this and if it would be useful to secure the data in the database as well (triggers, functions, etc) or not.

Community
  • 1
  • 1
Simply Me
  • 1,579
  • 11
  • 23
  • 3
    Have a look at and use the built in [PHP Password API](http://php.net/password). – Jonnix Dec 08 '15 at 15:40
  • @JonStirling thanks! I will take a look. – Simply Me Dec 08 '15 at 15:47
  • 3
    Never, decrypt passwords.... that means they're only as secure as your decryption key... always hash passwords, and compare the hashes when a user logs in..... PHP has built-in password_hash()/password_verify() for precisely this purpose – Mark Baker Dec 08 '15 at 15:49
  • Possible duplicate of [Best way to use PHP to encrypt and decrypt passwords?](http://stackoverflow.com/questions/1289061/best-way-to-use-php-to-encrypt-and-decrypt-passwords) – r3mainer Dec 08 '15 at 16:24
  • 1
    If you really need to encrypt a password use AES (Advanced Encryption Standard). But that just moves the problem to protecting the encryption/decryption key. If the key is discovered and the same key is used for all passwords they will all be compromised. That is why we have moved away from saving encrypted passwords. That and if the passwords are not saved no one (read government) can require the passwords to be provided. – zaph Dec 08 '15 at 18:03
  • @Mark Baker, thanks, that turned around the things and cleared the way a bit. – Simply Me Dec 08 '15 at 20:17
  • @zaph, thanks, that is useful and great to know. I will take a better look at it. – Simply Me Dec 08 '15 at 20:18

1 Answers1

3

Don't save encrypted password, instead store a hashed version.

Use an algorithm such as PBKDF2 (Password Based Key Derivation Function) with a random salt and a reasonably large iteration count to slow down the hashing. Then when you want to check a password run the password through the same hash function and verify the result matches the saved hash.

Note: save the salt and iteration count along with the resultant hash, none of these are need to be secret.

zaph
  • 111,848
  • 21
  • 189
  • 228
  • Or just use `password_hash()` and `password_verify()`. – Scott Arciszewski Dec 08 '15 at 17:41
  • Sure, I stated *such as* PBKDF2. The advantage of PBKDF2, IMO, is that is a cross platform, cross language industry standard and NIST recommend. Not that there is anything wrong with bcrypt which password_hash uses. – zaph Dec 08 '15 at 17:58
  • Professionally, I take NIST's crypto recommendations with a grain of salt. But scrypt uses PBKDF2 internally, so there's that. :) – Scott Arciszewski Dec 08 '15 at 18:18