Password one way encryption.

Discussion in 'Scripts, 3rd Party Apps, and Programming' started by freecrm, Oct 22, 2008.

  1. freecrm

    freecrm New Member

    Messages:
    629
    Likes Received:
    0
    Trophy Points:
    0
    OK this is probably simple but I'm not sure where to start.

    Registration process:

    1) User enters password/ password inserted to DB (needs encryption)
    2) system sends e-mail to user with validation link and confirmation of password (probably an un-encrypted copy).

    3) user re-enters password on validation page (encrypted entry to be compared with DB entry)
    Login:

    User enters username/password
    encrypted password entry needs to be compared with encrypted version in DB

    I'm not expecting a written script - just some ideas please.
     
  2. quantum1

    quantum1 New Member

    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    0
    Vague answer shown below. :)

    I have seen this done before as follows:
    1) Some algorithm or software is used to encrypt the password into the db.
    2) User receives email with password.
    3) User goes back and re-enters password to verify.
    4) Web site program uses same encryption technique to encrypt the password that the user re-enters, then compares it to the encrypted password in the db.
    Edit:
    Wait...that's just what you said in the question I think. :(

    Silly me. Is your question actually about how to compare the two encrypted passwords? Probably is if I had read your question correctly. Sorry! :p
     
    Last edited: Oct 22, 2008
  3. freecrm

    freecrm New Member

    Messages:
    629
    Likes Received:
    0
    Trophy Points:
    0

    LMAO!!!! :lol:

    Yeah - I was hoping to understand the methodology.

    i.e., if I have a variable $_POST['password'], how do I encrypt that before insertion for starters.. (not two way) Is this hashing? Md5? - I'm a bit lost with all the various types..

    Second, I need to know for comparison reasons if you just encrypt the validation password entry with the same system and then compare the result with what is stored in the DB?
     
  4. Scoochi2

    Scoochi2 New Member

    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    0
    In PHP, use crypt.

    For example..

    PHP:
    $password_crypted crypt($_POST['password']);
    Now when you want to compare, you can use the already encrypted password (hash) as a salt, which should result in the same hash as the hash used as a salt.

    See PHP.net for more info .
     
  5. quantum1

    quantum1 New Member

    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    0
    I searched on Scoochi2's idea and found the following at http://us.php.net/crypt

    <?php
    $password = crypt('mypassword'); // let the salt be automatically generated

    /* You should pass the entire results of crypt() as the salt for comparing a
    password, to avoid problems when different hashing algorithms are used. (As
    it says above, standard DES-based password hashing uses a 2-character salt,
    but MD5-based hashing uses 12.) */
    if (crypt($user_input, $password) == $password) {
    echo "Password verified!";
    }
    ?>


    Thanks, Scoochi2!
     
  6. natsuki

    natsuki New Member

    Messages:
    112
    Likes Received:
    0
    Trophy Points:
    0
    I use md5 but you can use sha or crc or any other encryption.
    This procedure works on all one-way encryption algorithms.

    from register pw ==> md5(pw) ==> DB
    login page: md5(login pw) == pw from DB ?

    characters will have one and only one hash so you need not worry about it changing ex: md5('pass') will always be equal to md5('pass') that you saved in db. If you want you can add a key so that only you can validate your passwords.

    $key = 'some key or phrase blah';
    $key = md5($key);

    md5($key . md5(pw)) ==> pw w/ key put in DB

    login page: md5($key . md5(pw)) == pw w/ key in DB?

    You don't need to know the real password, you just have to encrypt and compare with the saved encrypted one.
     
  7. freecrm

    freecrm New Member

    Messages:
    629
    Likes Received:
    0
    Trophy Points:
    0
    OK - finally got back to this one.

    I have done a quick test script to test the process but the result is always "not equal", even though it echo's the same.

    PHP:
    <?php
    $pass1 
    "password";
    echo 
    $pass1."<br>";
    $passcrypt crypt($pass1,$pass1);
    echo 
    $passcrypt."<br>";
    ?>

    <form action="" method="post">
    <input name="textfield" type="text" value="<?php echo $_POST['textfield'];?>">
    <input type="submit" name="Submit" value="Submit">
    </form>&nbsp;


    <?php
    echo $_POST['textfield']."<br>";
    $testcrypt crypt($_POST['textfield'],$_POST['textfield']);
    echo 
    $testcrypt."<br>";

    if (
    $passcrypt == $textcrypt){
    echo 
    "equal";
    }
    else
    {
    echo 
    "not equal";
    }
    ?>
    Any ideas?
     
  8. Scoochi2

    Scoochi2 New Member

    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    0
    Try replacing it with the following:
    PHP:
    <?php
    $pass1 
    "password";
    echo 
    $pass1."<br>";
    $passcrypt crypt($pass1);
    echo 
    $passcrypt."<br>";
    ?>

    <form action="" method="post">
    <input name="textfield" type="text" value="<?php echo $_POST['textfield'];?>">
    <input type="submit" name="Submit" value="Submit">
    </form>&nbsp;


    <?php
    echo $_POST['textfield']."<br>";
    $testcrypt crypt($_POST['textfield'],$passcrypt);
    echo 
    $testcrypt."<br>";

    if (
    $passcrypt == $textcrypt){
    echo 
    "equal";
    }
    else
    {
    echo 
    "not equal";
    }
    ?>
    When hashing, you do not need to provide a salt (for example, in $passcrypt). However, when comparing a hash, you should pass the entire result of the first hash as the salt. This way, it ensures the same algorithm is used... or something like that.

    Basically, save the results of the first crypt and then use that result when you use crypt again to compare the password to what is already saved.

    Hope that helps.
     
  9. freecrm

    freecrm New Member

    Messages:
    629
    Likes Received:
    0
    Trophy Points:
    0
    duh.. user error..

    in the comparison I used "textcrypt" instead of "testcrypt" !!!

    Replaced it and it works fine.

    Admin - Please close this thread
     
  10. freecrm

    freecrm New Member

    Messages:
    629
    Likes Received:
    0
    Trophy Points:
    0
    ____

    Arrrggh - no don't close it...

    When trying to put this into practice, it's all a different story!

    Crypting when storing the value is fine

    PHP:
    $passwordtostore $crypt($_POST['password'];
    insert $passwordtostore blah de blah

    but when I try to login on a login page with validation against the stored value, I'm getting different values.

    PHP:
    $password_validation $crypt($_POST['loginpassword'], $_POST['loginpassword']);
    check $passwordtostore against $password_validation...

    Should the salt be from the DB or am I missing something?
     
  11. xmakina

    xmakina New Member

    Messages:
    264
    Likes Received:
    0
    Trophy Points:
    0
    This works fine for me;
    Registration:
    PHP:
    function register($userName$password$password2$email ""){
        if(
            
    check($userName)     == false || 
            
    check($password)     == false ||
            
    checkEmail($email)     == false
        
    ){
            echo 
    "<p class=\"error\">Invalid input. Please only use letters or numbers</p>";
            return 
    false;
        }
        
        if(
    $password != $password2){
            echo 
    "<p class=\"error\">Passwords do not match</p>";
            return 
    false;
        }
        
        
    $inPass sha1($userName $password);
        
    $sql "INSERT INTO Users (userName, password, email) VALUES ('$userName', '$inPass', '$email')";
        
    $result mysql_query($sql);
        if(
    $result == false){
            if(
    mysql_errno() == 1062){
                
    //Duplicate
                
    echo "<p class=\"error\">That name or email has already been registered</p>";
                return 
    false;
            }
            echo 
    "<p class=\"error\">SQL Error<br />$sql<br />".mysql_error().",".mysql_errno()."</p>";
            return 
    false;
        }
        return 
    true;
    }
    Login Page
    PHP:
    function login($userName, $password){
        if(check($userName) == false || check($password) == false){
            showLogin();
            ?>
            <p><span class="important">Invalid charachters used to log in</span></p>
            <?php
        
    } else {
            
    $inPass sha1($userName.$password);
            
            
    $sql "SELECT userID FROM Users WHERE userName = '$userName' AND password = '$inPass'";
            
    $result mysql_query($sql);
            if(
    $result == false){
                
    ?>
                <p><span class="error">SQL Error (<?php echo $sql "<br />"; echo mysql_error();?>)</span></p>
                <?php
            
    } elseif(mysql_num_rows($result) == 0){
                
    ?>
                <p><span class="important">Invalid username or password</span></p>
                <?php
            
    } elseif(mysql_num_rows($result) <> 1){
                
    ?>
                <p><span class="error">Security Error. Please report this.</span></p>
                <?php
            
    } else {
                
    $_SESSION['userID'] = mysql_result($result,0,"userID");
                return 
    true;
            }
            return 
    false;
        }
    }
     
  12. freecrm

    freecrm New Member

    Messages:
    629
    Likes Received:
    0
    Trophy Points:
    0
    OK - please forgive my ignorance, but I'm not sure this script uses encryption???

    However, I'm not familiar with the shal() function...

    I have a multi-page registration process that verifies the e-mail address (register - sends e-mail to address provided - activate account etc.) All of this part works.

    My problem is only when comparing the stored encrypted value with the crypt($_POST[' '], $whateversalt) value.

    I think I may have cracked this anyway - I need to call the $passwordtostore value from the DB to use as the salt rather than the posted value. I'll let you know if this works.
     
  13. phpasks

    phpasks New Member

    Messages:
    145
    Likes Received:
    0
    Trophy Points:
    0
    You can use this encoded & decode function

    http://www.phpasks.com/articles/phpencodeanddecodefunction.html

    PHP:
    <?php
    // Encode function starts here
        
         
    function encode($_text$_IV 3$_ENCRYPT_KEY "z1Mc6KRxA7Nw90dGjY5qLXhtrPgJOfeCaUmHvQT3yW8nDsI2VkEpiS4blFoBuZ"
        { 

            if (
    is_numeric($_IV)) { 

                
    $_IV intval($_IV); 

                if (
    $_IV 1
                    
    $_IV 1
                else 
                  if (
    $_IV 500
                      
    $_IV 42

            } else { 

                
    $_IV 3
            } 

            
    $_text .= ' '

            
    $_arr1 stringSplit($_ENCRYPT_KEY); 
            
    $_arr2 $_arr1

            foreach (
    $_arr1 as $_i1 => $_v1) { 

                foreach (
    $_arr2 as $_i2 => $_v2) { 

                    
    $_counter = ($_i2 1) + ($_i1 strlen($_ENCRYPT_KEY)); 

                    
    $_array[$_counter] = $_v1 $_v2

                    if (
    $_v1 == $_v2
                        
    $_array[$_counter] = $_v1 '_'
                } 
            } 

            
    $_encoded ''
            
    $_count 0
            
    $_msgarr stringSplit($_text); 

            foreach (
    $_msgarr as $_mindex => $_mvalue) { 

               If (
    $_mindex <> ceil ($_mindex 2)) { 

                    
    $_masc ord($_mvalue) - 31
                    
    $_masc $_masc + (ceil($_count $_IV 3) + $_IV); 
                    
    $_count++; 
                    if (
    $_count 12
                        
    $_count 0
                    
    $_encoded .= $_array[$_masc]; 

                } else { 

                    
    // No need to get around str_rot13 bug here since $_mvalue is 
                    // not being referenced after this point & will get overriden. 
                    
    $_encoded .= str_rot13($_mvalue); 
                } 
            } 

            return 
    $_encoded
        } 

        
    // Encode function ends here
        // Decode function starts here

        
    function decode($_text$_IV 3$_ENCRYPT_KEY "z1Mc6KRxA7Nw90dGjY5qLXhtrPgJOfeCaUmHvQT3yW8nDsI2VkEpiS4blFoBuZ"
        { 
            
    $_count 0

            if (
    is_numeric($_IV)) { 

                
    $_IV intval($_IV); 

                if (
    $_IV 1
                    
    $_IV 1
                else 
                  if (
    $_IV 500
                      
    $_IV 42

            } else { 

                
    $_IV 3
            } 

            
    $_arr1 stringSplit($_ENCRYPT_KEY); 
            
    $_arr2 $_arr1

            foreach (
    $_arr1 as $_i1 => $_v1) { 

                foreach (
    $_arr2 as $_i2 => $_v2) { 

                    
    $_counter = ($_i2 1) + ($_i1 strlen($_ENCRYPT_KEY)); 
                    
    $_array[$_counter] = $_v1 $_v2
                    if (
    $_v1 == $_v2
                        
    $_array[$_counter] = $_v1 '_'
                } 
            } 

            
    $_array array_flip($_array); 
            
    $_msgarr stringSplit($_text3); 

            
    $_decoded ''

            foreach (
    $_msgarr as $_mvalue) { 

                
    // $_tmp_hold used to get around a possible PHP bug in versions 
                // earlier than 4.3.0. The variable passed in function might change. 
                
    $_tmp_hold  $_mvalue
                
    $_decoded  .= str_rot13($_tmp_hold{0}); 

                
    $_ivalue $_array[substr($_mvalue12)]; 
                
    $_ivalue $_ivalue - (ceil($_count $_IV 3) + $_IV); 
                
    $_count++; 
                if (
    $_count 12
                   
    $_count 0

                
    $_masc chr($_ivalue 31); 
                
    $_decoded .= $_masc
            } 

            return 
    trim($_decoded); 
        } 
            
    // Decode function ends here
    ?>
     
  14. freecrm

    freecrm New Member

    Messages:
    629
    Likes Received:
    0
    Trophy Points:
    0
    WOW - thats complex...

    Certainly a step up from crypt().. ;)

    I do think though that this is two-way?, whereas crypt() cannot be two-way as each encryption process outputs a different string with automated salt.

    This is why I need to access the original stored salt before I can then encrypt the login posted password and compare that with the database entry.

    Thanks for the efforts though guys/gals.
    Edit:
    Oops - sorry - this is encoded - just read up on it... :happysad:

    Thanks for the help
     
    Last edited: Nov 11, 2008
  15. welch

    welch New Member

    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    0
    $encryptedvalue = md5($whatever_you_want_to_encrypt);

    that makes a 32 bit one way hash
     
  16. mattura

    mattura Member

    Messages:
    570
    Likes Received:
    2
    Trophy Points:
    18
    No need to over complicate things, as you said:
    So generate a random string (try uniq), let's call it $pass, create a salt string (for added security with weak passwords)
    PHP:
    $salt "*saltilicious*XxX";
    $hash md5($salt.$pass);
    store $hash in your database and send an email which shows $pass (unencrypted)
    When user logs in, hash the password they typed in (with the salt, as above) and compare this to the value in the database.

    You can allow the user to change password at this point (or after), just make sure you overwrite the database password with the salted hash of the new password!
     
    Last edited: Nov 11, 2008
  17. Scoochi2

    Scoochi2 New Member

    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    0
    The best way is also the way that has already been said, and is also the simplest. :)
    Just run the following on it's own and look at the results. Study it well, you'll see how it works :)
    PHP:
    <?php
    $password1  
    'password';
    echo 
    "original password: <b>$password1</b><br>";
    $pass1_crypt crypt($password1);
    echo 
    "crypted password: <b>$pass1_crypt</b><br><br>";

    $password2 'password';
    echo 
    "second password: <b>$password2</b><br>";
    $pass2_crypt crypt($password2);
    echo 
    "second crypted password: <b>$pass2_crypt</b><br><br>";

    $password3 'Password';
    echo 
    "third password: <b>$password3</b><br>";
    $pass3_crypt crypt($password3);
    echo 
    "third crypted password: <b>$pass3_crypt</b><br><br>";

    $pass2_crypt2 crypt($password2,$pass1_crypt); // the second parameter is the salt. It is randomly generated if not specified.
    echo 'second password is shown crypted on the next line, using first crypted password as a salt. It should be exactly the same as the first crypted password<br>'.$pass2_crypt2.'<br><br>';

    $pass3_crypt2 crypt($password3,$pass1_crypt);
    echo 
    'third password is shown crypted on the next line, using first crypted password as a salt. It should NOT match the first crypted password, as it is a different string (p is a capital!)<br>'.$pass3_crypt2.'<br><br>';

    // now we compare...
    if ($pass2_crypt2 == $pass1_crypt)
    echo 
    'first and second passwords match.';
    else echo 
    'first and second passwords do not match!';

    echo 
    '<br>';

    if (
    $pass3_crypt2 == $pass1_crypt)
    echo 
    'first and third passwords match.';
    else echo 
    'first and third passwords do not match!';
    ?>
    Edit:
    I have taken the liberty of using my code above. Here's the results. You will get different passwords (they're randomly generated, remember!), but the ones that should match up will still match up, and be 100% the same.
     
    Last edited: Nov 11, 2008
  18. vol7ron

    vol7ron New Member

    Messages:
    434
    Likes Received:
    0
    Trophy Points:
    0
    Last edited: Nov 12, 2008
  19. freecrm

    freecrm New Member

    Messages:
    629
    Likes Received:
    0
    Trophy Points:
    0
    OK.. you're probably not going to like me for this...

    I have adapted a DW CS3 login system - most of which works but the only page I can't work out is the main login page, which contains a lot of script I don't get!

    Attached...

    I suspect that the line I need to amend is

    PHP:
    $LoginRS__query=sprintf("SELECT USERNAME, PASSWORD, LEVEL, GROUPCODE, USERTZ, USERTF FROM CONTACTS WHERE USERNAME=%s AND PASSWORD=%s",
      
    GetSQLValueString($loginUsername"text"), GetSQLValueString($password"text")); 
    to something like

    PHP:
    $LoginRS__query=sprintf("SELECT USERNAME, PASSWORD, LEVEL, GROUPCODE, USERTZ, USERTF FROM CONTACTS WHERE USERNAME=%s AND PASSWORD=%s",
      
    GetSQLValueString($loginUsername"text"), GetSQLValueString(crypt($password,$password"text")); 
    but this doesn't make sense, because it's not using the original stored password as a salt - and it doesn't seem to make comparisons after the query has been called.

    I'm at a loss... :dunno:
     

    Attached Files:

  20. xPlozion

    xPlozion New Member

    Messages:
    868
    Likes Received:
    1
    Trophy Points:
    0
    i'm sorry, but i've tried looking through this, but i'm not sure exactly where you stand. also, the code is untidy and kinda hard to look though.

    but i think this is what you want
    PHP:
    $LoginRS__query=sprintf("SELECT USERNAME, PASSWORD, LEVEL, GROUPCODE, USERTZ, USERTF FROM CONTACTS WHERE USERNAME=%s AND PASSWORD=%s",
      
    GetSQLValueString($loginUsername"text"), GetSQLValueString(crypt($password,$salt"text"));  
    although you _should_ consider looking into sha1, as it's more secure and i use it :D
     

Share This Page