3

My first question here, so hopefully this all goes well.

I have an application that is currently running on desktop under MS Access using VBA code. When the user logs in I have a function to encrypt the password. This is:

Public Function EncryptEasy(strIn As String) As String

Dim strChr As String
Dim i As Integer
Dim Salt As Long
Salt = 543214321

For i = 1 To Len(strIn)
  strChr = strChr & CStr(Asc( Mid(strIn, i, 1) ) Xor Salt)
Next I

EncryptEasy = strChr

End Function

To give you an idea, when I run EncryptEasy("test") in VBA, it returns: 543214213543214228543214210543214213

I am now setting up a simple web-app using PHP and was hoping to utilise the same encryption as I'm currently using by coding this function into PHP. I HAVE tried and below is my attempt:

function EncryptEasy($strIn) {

$salt = 543214321;
$strChr = Null;
$strLen = strlen($strIn);

  for ($i = 0; $i <= $strLen; $i++) {
      $strChr = $strChr . chr(ord(substr($strIn, $i, 1)) xor $salt);
  }

  return $strChr;

}

However, this is returning blank. I have tried echoing this:

<?php
echo EncryptEasy("test");
?>

to no avail.

Is anyone able to see where I am going wrong?

Nick
  • 31
  • 1
  • PHP comes with several encryption routines. http://php.net/manual/en/refs.crypto.php - read the comments of each function carefully as these provide useful tips. –  Aug 10 '17 at 01:57
  • You could instead hash the passwords, read about [`password_hash()`](http://php.net/manual/en/function.password-hash.php) – Carl Binalla Aug 10 '17 at 02:28
  • You should never encrypt your user's passwords. You need to use hashing instead with some strong ones being PBKDF2, bcrypt, scrypt and Argon2. Since hash functions are one-way function, you won't be able to "decrypt" the hashes. In order to authenticate your user, you can run the password through the hash function again in order to compare with the hash that is stored in the database. See more: [How to securely hash passwords?](https://security.stackexchange.com/q/211/45523) – Artjom B. Aug 10 '17 at 17:41
  • Thanks everyone for their comments. You're obviously quite right. – Nick Aug 11 '17 at 05:51
  • Are there any encryption hashing functions that would return the same hashed/encrypted output in both VBA and PHP, as I will need the users to login in the local access-based software AND the new online version also. – Nick Aug 11 '17 at 05:53
  • Or is it better (easier) to have an hash/encryption method for PHP which links to the database and saves to a field "password_php" and then have a different hash/encryption method in Access that links to a separate field called "password_access"? – Nick Aug 11 '17 at 05:57

1 Answers1

-1

I would not suggest creating your own algorithm for encrypting, instead use built-in functions provided by php.

Although this is not encrypting the password like the one in your original code, using password_hash is easier than creating your own, and to verify use password_verify()

Hashing Password:

<?php
    $hashed = password_hash("somePassword", PASSWORD_DEFAULT);
?>

Verifying Password

<?php
    if(password_verify('somePassword', $hashed))
    {
        echo 'Same'; //goes here
    } else {
        echo 'Not same';
    }
    if(password_verify('somePasswordsss', $hashed))
    {
        echo 'Same'; 
    } else {
        echo 'Not same'; //goes here
    }
?>
Carl Binalla
  • 5,393
  • 5
  • 27
  • 46
  • Hi Swellar, thanks for that. Is there a function in VBA which would output the same hashed password so that if I implement this function in PHP version of application, I could run a similar function in the access-based local version so that the passwords could be the same? – Nick Aug 11 '17 at 05:55
  • Or is it better (easier) to have an hash/encryption method for PHP which links to the database and saves to a field "password_php" and then have a different hash/encryption method in Access that links to a separate field called "password_access"? – Nick Aug 11 '17 at 05:57
  • @Nick I don't really know anything about `VBA`, so I don't know how can those two can sync, unless you can reverse-engineering `password_verify()`, and create it in `VBA` – Carl Binalla Aug 11 '17 at 07:51
  • No problem, swellar. I am now thinking that I can have a separate password field for my access environment (which can use my basic encryption as its only used locally at our premises) and a separate password for the php with hashing and salt to allow better encryption for the online environment. – Nick Aug 11 '17 at 08:13