0

I am trying to tidy up some API logins that are currently in plain text.

My current thinking is to put the password through a generator like - md5hashgenerator.com I would make sure its SHA1.

I would then set the hash as a variable but what is the right way to go about the decrypt?

Jess McKenzie
  • 8,345
  • 27
  • 100
  • 170
  • 3
    Why not use `password_hash()`? As `SHA1` is **not** secure anymore, you can read that [here](https://konklone.com/post/why-google-is-hurrying-the-web-to-kill-sha-1). You might as well use the build-in functions – Nytrix Feb 14 '17 at 03:44
  • @Nytrix I have no login etc its all done in the background and no database - They are logins for Curl – Jess McKenzie Feb 14 '17 at 03:45
  • 1
    *Sooo..*? If it's in `php` you can use the function `password_hash()` and `password_verify()`. It's the safest method **and** really easy to use. – Nytrix Feb 14 '17 at 03:46
  • @Nytrix Understood - I have been reading http://stackoverflow.com/questions/30279321/how-to-use-password-hash but what would I use for $password - the hash? since there is no db? – Jess McKenzie Feb 14 '17 at 03:48
  • Where do you get them from? A previous file? Loop through the file and put hash them, then put them in a datbase. **Do not** save passwords in plain text files, please **don't**. – Nytrix Feb 14 '17 at 03:49
  • @Nytrix its a .php file and logins to the api - e-mail/password via curl and I just dont want them to be in plain site I want to encrypt them some how – Jess McKenzie Feb 14 '17 at 03:52
  • you now seem to be confusing encryption (reversible) with hashing. if you encrypt them in the file, you then have to unencrypt them on the same server before using them for the api- so what's the point here? if people have access to the php, they have access to the passwords. –  Feb 14 '17 at 03:53
  • @nogad That is a really good point I am just wanting to do things right and not leave them in the "open air" – Jess McKenzie Feb 14 '17 at 04:00
  • so the server has no credentials? you dont trust the staff? –  Feb 14 '17 at 04:01
  • not in this context @Nytrix –  Feb 14 '17 at 04:03

1 Answers1

-2

UPDATE:

This link is quite helpful in understanding use cases for hash algorithms & encryption algorithms. Fundamental difference between Hashing and Encryption algorithms "Use a hash function when you want to compare a value but can't store the plain representation (for any number of reasons). Passwords should fit this use-case very well since you don't want to store them plain-text for security reasons (and shouldn't)"

"Use encryption whenever you need to get the input data back out. Notice the word need. If you're storing credit card numbers, you need to get them back out at some point, but don't want to store them plain text. So instead, store the encrypted version and keep the key as safe as possible."

As the comments mention, md5 and sha1 type hashes are no longer secure. Use php's built-in password hashing functions. You can read up about them here http://php.net/manual/en/book.password.php particularly password_hash() & password_verify()

An example usage for password_verify:

// grab hashed pass from db - to compare against - then perform password_verify() method
if (password_verify($inputPassword, $dbPass)) {
            // success
}

where $inputPassword is the plain text password entered into the login form.

and an example usage of password_hash()

$hash = password_hash($inputPassword, PASSWORD_BCRYPT);
Community
  • 1
  • 1
Inkdot
  • 266
  • 1
  • 6
  • 1
    This is a glorified comment, with purely links. After all that, you are suggesting an **unsafe** method of hashing passwords.... – Nytrix Feb 14 '17 at 03:51
  • *Again*, do **not** use `md5()` for hashing password. **Not** safe! – Nytrix Feb 14 '17 at 03:53
  • would you care to further explain? – Inkdot Feb 14 '17 at 03:54
  • MD5 is weak and all passwords should be salted - SHA1 etc MD5 is crap – Jess McKenzie Feb 14 '17 at 03:55
  • If I am providing unsafe information I would very much like to know. That is not my intention :/ – Inkdot Feb 14 '17 at 03:55
  • Yes, `md5()` is **not** secure anymore. You should use `password_hash()` and `password_verify()` for hashing passwords. – Nytrix Feb 14 '17 at 03:55
  • So instead of md5($credentials->password) , it should read sha1($credentials->password)? – Inkdot Feb 14 '17 at 03:56
  • @Inkdot *No...* I've now written like 3 comments where I say you need to use `password_hash()`.... You can read [here](https://konklone.com/post/why-google-is-hurrying-the-web-to-kill-sha-1) why `SHA1` is **not** such a good idea anymore. – Nytrix Feb 14 '17 at 03:57
  • Thanks, and sorry for that. – Inkdot Feb 14 '17 at 04:00
  • I will write an updated create account and login script and post in an updated answer. – Inkdot Feb 14 '17 at 04:03
  • @Inkdot It doesn't answer **this** question though... you should probably just keep it within this answer... – Nytrix Feb 14 '17 at 04:04
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/135642/discussion-between-nytrix-and-inkdot). – Nytrix Feb 14 '17 at 04:05
  • MD5 is [not secure at all for passwords](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure) – Machavity Feb 14 '17 at 04:22