Geek asks and answers

Encryption using crypt ()

I am currently using a very secure login system, but I'm new to crypt () and need some quick help.

I used crypt () to encrypt the password string during registration and save it in the database. However, how can I decrypt the key during login? Or how should I do otherwise? Or perhaps one could do the magic with the provided password string to compare it with the encrypted key in the database?

+3
source share
5 answers

crypt()does not encrypt passwords, it hashes them. The main difference is that you cannot return hashed passwords (think of hash tones - if you have hash tones, you cannot return potatoes).

, , :

$stored_pw = get_hashed_password_from_db($_POST['username']);
crypt($_POST['password'], $stored_pw) == $stored_pw

crypt(), , "" .

+2

crypt() . crypt(). , .

-.

+1

. .

SO: ?

+1

. , - , , . , . a) , , , . , . - , - . , . .

/*
*   Copyright (c) 2012, Macarthur Inbody
*   The following code was posted on http://stackoverflow.com/questions/8195689/encryption-using-crypt
*   The license is simply CC-by https://creativecommons.org/licenses/by/3.0/
*
*
*
*/


/*
 *
 * This is used to hash their password.
 *
 * @param   $password       string      the users supplied password
 * @param   $username       string      the users supplied username
 * @param   $rand_salt      int         the secondary salt -2^31-1 to 2^31-1 Must be defined previously.
 * @return  string the hashed password
 */
function hash_pass($username,$password,$rand_salt){

    global $unique_salt;
    $main_salt=base64_encode(hash('sha512',$username.$password.$config_salt);
    $main_salt=str_replace('+', '.', $salt);
    $main_salt=str_replace('=','/',$salt);
    $main_salt='$2$06'.$main_salt; //change this here to the cost factor that you want
    $hashed=crypt($unique_salt.$username.$password.$rand_salt,$main_salt);
    return $hashed;
}

function gen_rand_salt(){
    return rand();
}

function rand_str($length,$additional_entropy){
    $max_length=ceil($length/28);
    if(!is_defined($additional_entropy)){
        $additional_entropy='';
    }
    $str='';
    for($i=0;$i<=$max_length;++$i){
        $str.=base64_encode(sha1($i.''.microtime().$additional_entropy,true));
    }
    $str=substr($str,0,$length);
    return $str;
}

/*
*
* Generate A temp password/token
*
* This function generates a temporary password and also gives you
* the hashed password too. It is an array, arr[0]=password, arr[1]=
* hashed password. If it fails it'll return -1;
*
* @param    $username   the username
* @param    $rand_salt  the random salt value, must be given.
*
* @return   array       if it is successful array, if it fails it a number of -1
*/ 
function generate_temp_password($username,$rand_salt){
    global $unique_salt;
    if(!is_defined($rand_salt)){
    return -1;
    }
    $pass_len=12; // change this to what you want for password recovery
    $pass_arr=Array();
    $password=rand_str($pass_len,$unique_salt.rand().$rand_salt);
    $password=substr(base64_encode(sha1($rand_str.$rand_salt,true)),0,$pass_len);
    $hashed_password=hash_pass($username,$password,$rand_salt);
    $pass_arr[0]=$password;
    $pass_arr[1]=$hashed_password;
    return $pass_arr;
}

, CC-By, , . , , , , . , "" , , .

2: . , , , . - . mysql_real_escape_string. php5 +, mysqli ( mysql). , , mysql. , , . , ... . , , , .

3: , , , . , -, ( ), , . . $unique_salt somwhere , .

0

http://php.net/manual/en/function.password-hash.php

http://php.net/manual/en/function.password-verify.php

Also never use rand () if you need safe random values. This is the worst source of random values ​​in PHP.

In PHP 7 you should use

http://php.net/manual/en/function.random-bytes.php

instead of this. For earlier versions see

http://php.net/manual/en/function.openssl-random-pseudo-bytes.php

0
source

More articles:


All Articles