Password one way encryption.

[freecrm]

OK this is probably simple but I'm not sure where to start.

Registration process:

1) User enters password/ password inserted to DB (needs encryption)

2) system sends e-mail to user with validation link and confirmation of password (probably an un-encrypted copy).

3) user re-enters password on validation page (encrypted entry to be compared with DB entry)

Login:

User enters username/password

encrypted password entry needs to be compared with encrypted version in DB

I'm not expecting a written script - just some ideas please.

[quantum1]

Vague answer shown below.

I have seen this done before as follows:
1) Some algorithm or software is used to encrypt the password into the db.
2) User receives email with password.
3) User goes back and re-enters password to verify.
4) Web site program uses same encryption technique to encrypt the password that the user re-enters, then compares it to the encrypted password in the db.
Edit:
Wait...that's just what you said in the question I think.

Silly me. Is your question actually about how to compare the two encrypted passwords? Probably is if I had read your question correctly. Sorry! :P

[freecrm]

Vague answer shown below.

I have seen this done before as follows:
1) Some algorithm or software is used to encrypt the password into the db.
2) User receives email with password.
3) User goes back and re-enters password to verify.
4) Web site program uses same encryption technique to encrypt the password that the user re-enters, then compares it to the encrypted password in the db.
Edit:
Wait...that's just what you said in the question I think.

Silly me. Is your question actually about how to compare the two encrypted passwords? Probably is if I had read your question correctly. Sorry! :P

LMAO!!!! :laugh:

Yeah - I was hoping to understand the methodology.

i.e., if I have a variable $_POST['password'], how do I encrypt that before insertion for starters.. (not two way) Is this hashing? Md5? - I'm a bit lost with all the various types..

Second, I need to know for comparison reasons if you just encrypt the validation password entry with the same system and then compare the result with what is stored in the DB?

[Scoochi2]

i.e., if I have a variable $_POST['password'], how do I encrypt that before insertion for starters.. (not two way) Is this hashing? Md5? - I'm a bit lost with all the various types..

Second, I need to know for comparison reasons if you just encrypt the validation password entry with the same system and then compare the result with what is stored in the DB?

In PHP, use crypt.

For example..

PHP Code:

$password_crypted = crypt($_POST['password']); 


Now when you want to compare, you can use the already encrypted password (hash) as a salt, which should result in the same hash as the hash used as a salt.

See PHP.net for more info .

[quantum1]

I searched on Scoochi2's idea and found the following at http://us.php.net/crypt

<?php
$password = crypt('mypassword'); // let the salt be automatically generated

/* You should pass the entire results of crypt() as the salt for comparing a
password, to avoid problems when different hashing algorithms are used. (As
it says above, standard DES-based password hashing uses a 2-character salt,
but MD5-based hashing uses 12.) */
if (crypt($user_input, $password) == $password) {
echo "Password verified!";
}
?>


Thanks, Scoochi2!

[natsuki]

I use md5 but you can use sha or crc or any other encryption.
This procedure works on all one-way encryption algorithms.

from register pw ==> md5(pw) ==> DB
login page: md5(login pw) == pw from DB ?

characters will have one and only one hash so you need not worry about it changing ex: md5('pass') will always be equal to md5('pass') that you saved in db. If you want you can add a key so that only you can validate your passwords.

$key = 'some key or phrase blah';
$key = md5($key);

md5($key . md5(pw)) ==> pw w/ key put in DB

login page: md5($key . md5(pw)) == pw w/ key in DB?

You don't need to know the real password, you just have to encrypt and compare with the saved encrypted one.

[freecrm]

OK - finally got back to this one.

I have done a quick test script to test the process but the result is always "not equal", even though it echo's the same.

PHP Code:

<?php
$pass1 = "password";
echo $pass1."<br>";
$passcrypt = crypt($pass1,$pass1);
echo $passcrypt."<br>";
?>

<form action="" method="post">
<input name="textfield" type="text" value="<?php echo $_POST['textfield'];?>">
<input type="submit" name="Submit" value="Submit">
</form>&nbsp;


<?php
echo $_POST['textfield']."<br>";
$testcrypt = crypt($_POST['textfield'],$_POST['textfield']);
echo $testcrypt."<br>";

if ($passcrypt == $textcrypt){
echo "equal";
}
else
{
echo "not equal";
}
?>

Any ideas?

[Scoochi2]

Try replacing it with the following:

PHP Code:

<?php
$pass1 = "password";
echo $pass1."<br>";
$passcrypt = crypt($pass1);
echo $passcrypt."<br>";
?>

<form action="" method="post">
<input name="textfield" type="text" value="<?php echo $_POST['textfield'];?>">
<input type="submit" name="Submit" value="Submit">
</form>&nbsp;


<?php
echo $_POST['textfield']."<br>";
$testcrypt = crypt($_POST['textfield'],$passcrypt);
echo $testcrypt."<br>";

if ($passcrypt == $textcrypt){
echo "equal";
}
else
{
echo "not equal";
}
?>

When hashing, you do not need to provide a salt (for example, in $passcrypt). However, when comparing a hash, you should pass the entire result of the first hash as the salt. This way, it ensures the same algorithm is used... or something like that.

Basically, save the results of the first crypt and then use that result when you use crypt again to compare the password to what is already saved.

Hope that helps.

[freecrm]

duh.. user error..

in the comparison I used "textcrypt" instead of "testcrypt" !!!

Replaced it and it works fine.

Admin - Please close this thread

[freecrm]

____

Arrrggh - no don't close it...

When trying to put this into practice, it's all a different story!

Crypting when storing the value is fine

PHP Code:

$passwordtostore = $crypt($_POST['password']; 


insert $passwordtostore blah de blah

but when I try to login on a login page with validation against the stored value, I'm getting different values.

PHP Code:

$password_validation = $crypt($_POST['loginpassword'], $_POST['loginpassword']); 


check $passwordtostore against $password_validation...

Should the salt be from the DB or am I missing something?