Password one way encryption.

freecrm

New Member
Messages
629
Reaction score
0
Points
0
OK this is probably simple but I'm not sure where to start.

Registration process:

1) User enters password/ password inserted to DB (needs encryption)
2) system sends e-mail to user with validation link and confirmation of password (probably an un-encrypted copy).

3) user re-enters password on validation page (encrypted entry to be compared with DB entry)
Login:

User enters username/password
encrypted password entry needs to be compared with encrypted version in DB

I'm not expecting a written script - just some ideas please.
 

quantum1

New Member
Messages
68
Reaction score
0
Points
0
Vague answer shown below. :)

I have seen this done before as follows:
1) Some algorithm or software is used to encrypt the password into the db.
2) User receives email with password.
3) User goes back and re-enters password to verify.
4) Web site program uses same encryption technique to encrypt the password that the user re-enters, then compares it to the encrypted password in the db.
Edit:
Wait...that's just what you said in the question I think. :(

Silly me. Is your question actually about how to compare the two encrypted passwords? Probably is if I had read your question correctly. Sorry! :p
 
Last edited:

freecrm

New Member
Messages
629
Reaction score
0
Points
0
Vague answer shown below. :)

I have seen this done before as follows:
1) Some algorithm or software is used to encrypt the password into the db.
2) User receives email with password.
3) User goes back and re-enters password to verify.
4) Web site program uses same encryption technique to encrypt the password that the user re-enters, then compares it to the encrypted password in the db.
Edit:
Wait...that's just what you said in the question I think. :(

Silly me. Is your question actually about how to compare the two encrypted passwords? Probably is if I had read your question correctly. Sorry! :p


LMAO!!!! :lol:

Yeah - I was hoping to understand the methodology.

i.e., if I have a variable $_POST['password'], how do I encrypt that before insertion for starters.. (not two way) Is this hashing? Md5? - I'm a bit lost with all the various types..

Second, I need to know for comparison reasons if you just encrypt the validation password entry with the same system and then compare the result with what is stored in the DB?
 

Scoochi2

New Member
Messages
185
Reaction score
0
Points
0
i.e., if I have a variable $_POST['password'], how do I encrypt that before insertion for starters.. (not two way) Is this hashing? Md5? - I'm a bit lost with all the various types..

Second, I need to know for comparison reasons if you just encrypt the validation password entry with the same system and then compare the result with what is stored in the DB?
In PHP, use crypt.

For example..

PHP:
$password_crypted = crypt($_POST['password']);
Now when you want to compare, you can use the already encrypted password (hash) as a salt, which should result in the same hash as the hash used as a salt.

See PHP.net for more info .
 

quantum1

New Member
Messages
68
Reaction score
0
Points
0
I searched on Scoochi2's idea and found the following at http://us.php.net/crypt

<?php
$password = crypt('mypassword'); // let the salt be automatically generated

/* You should pass the entire results of crypt() as the salt for comparing a
password, to avoid problems when different hashing algorithms are used. (As
it says above, standard DES-based password hashing uses a 2-character salt,
but MD5-based hashing uses 12.) */
if (crypt($user_input, $password) == $password) {
echo "Password verified!";
}
?>


Thanks, Scoochi2!
 

natsuki

New Member
Messages
112
Reaction score
0
Points
0
I use md5 but you can use sha or crc or any other encryption.
This procedure works on all one-way encryption algorithms.

from register pw ==> md5(pw) ==> DB
login page: md5(login pw) == pw from DB ?

characters will have one and only one hash so you need not worry about it changing ex: md5('pass') will always be equal to md5('pass') that you saved in db. If you want you can add a key so that only you can validate your passwords.

$key = 'some key or phrase blah';
$key = md5($key);

md5($key . md5(pw)) ==> pw w/ key put in DB

login page: md5($key . md5(pw)) == pw w/ key in DB?

You don't need to know the real password, you just have to encrypt and compare with the saved encrypted one.
 

freecrm

New Member
Messages
629
Reaction score
0
Points
0
OK - finally got back to this one.

I have done a quick test script to test the process but the result is always "not equal", even though it echo's the same.

PHP:
<?php
$pass1 = "password";
echo $pass1."<br>";
$passcrypt = crypt($pass1,$pass1);
echo $passcrypt."<br>";
?>

<form action="" method="post">
<input name="textfield" type="text" value="<?php echo $_POST['textfield'];?>">
<input type="submit" name="Submit" value="Submit">
</form>&nbsp;


<?php
echo $_POST['textfield']."<br>";
$testcrypt = crypt($_POST['textfield'],$_POST['textfield']);
echo $testcrypt."<br>";

if ($passcrypt == $textcrypt){
echo "equal";
}
else
{
echo "not equal";
}
?>

Any ideas?
 

Scoochi2

New Member
Messages
185
Reaction score
0
Points
0
Try replacing it with the following:
PHP:
<?php
$pass1 = "password";
echo $pass1."<br>";
$passcrypt = crypt($pass1);
echo $passcrypt."<br>";
?>

<form action="" method="post">
<input name="textfield" type="text" value="<?php echo $_POST['textfield'];?>">
<input type="submit" name="Submit" value="Submit">
</form>&nbsp;


<?php
echo $_POST['textfield']."<br>";
$testcrypt = crypt($_POST['textfield'],$passcrypt);
echo $testcrypt."<br>";

if ($passcrypt == $textcrypt){
echo "equal";
}
else
{
echo "not equal";
}
?>
When hashing, you do not need to provide a salt (for example, in $passcrypt). However, when comparing a hash, you should pass the entire result of the first hash as the salt. This way, it ensures the same algorithm is used... or something like that.

Basically, save the results of the first crypt and then use that result when you use crypt again to compare the password to what is already saved.

Hope that helps.
 

freecrm

New Member
Messages
629
Reaction score
0
Points
0
duh.. user error..

in the comparison I used "textcrypt" instead of "testcrypt" !!!

Replaced it and it works fine.

Admin - Please close this thread
 

freecrm

New Member
Messages
629
Reaction score
0
Points
0
____

Arrrggh - no don't close it...

When trying to put this into practice, it's all a different story!

Crypting when storing the value is fine

PHP:
$passwordtostore = $crypt($_POST['password'];

insert $passwordtostore blah de blah

but when I try to login on a login page with validation against the stored value, I'm getting different values.

PHP:
$password_validation = $crypt($_POST['loginpassword'], $_POST['loginpassword']);

check $passwordtostore against $password_validation...

Should the salt be from the DB or am I missing something?
 

xmakina

New Member
Messages
264
Reaction score
0
Points
0
This works fine for me;
Registration:
PHP:
function register($userName, $password, $password2, $email = ""){
	if(
		check($userName) 	== false || 
		check($password) 	== false ||
		checkEmail($email) 	== false
	){
		echo "<p class=\"error\">Invalid input. Please only use letters or numbers</p>";
		return false;
	}
	
	if($password != $password2){
		echo "<p class=\"error\">Passwords do not match</p>";
		return false;
	}
	
	$inPass = sha1($userName . $password);
	$sql = "INSERT INTO Users (userName, password, email) VALUES ('$userName', '$inPass', '$email')";
	$result = mysql_query($sql);
	if($result == false){
		if(mysql_errno() == 1062){
			//Duplicate
			echo "<p class=\"error\">That name or email has already been registered</p>";
			return false;
		}
		echo "<p class=\"error\">SQL Error<br />$sql<br />".mysql_error().",".mysql_errno()."</p>";
		return false;
	}
	return true;
}

Login Page
PHP:
function login($userName, $password){
	if(check($userName) == false || check($password) == false){
		showLogin();
		?>
		<p><span class="important">Invalid charachters used to log in</span></p>
		<?php
	} else {
		$inPass = sha1($userName.$password);
		
		$sql = "SELECT userID FROM Users WHERE userName = '$userName' AND password = '$inPass'";
		$result = mysql_query($sql);
		if($result == false){
			?>
			<p><span class="error">SQL Error (<?php echo $sql . "<br />"; echo mysql_error();?>)</span></p>
			<?php
		} elseif(mysql_num_rows($result) == 0){
			?>
			<p><span class="important">Invalid username or password</span></p>
			<?php
		} elseif(mysql_num_rows($result) <> 1){
			?>
			<p><span class="error">Security Error. Please report this.</span></p>
			<?php
		} else {
			$_SESSION['userID'] = mysql_result($result,0,"userID");
			return true;
		}
		return false;
	}
}
 

freecrm

New Member
Messages
629
Reaction score
0
Points
0
OK - please forgive my ignorance, but I'm not sure this script uses encryption???

However, I'm not familiar with the shal() function...

I have a multi-page registration process that verifies the e-mail address (register - sends e-mail to address provided - activate account etc.) All of this part works.

My problem is only when comparing the stored encrypted value with the crypt($_POST[' '], $whateversalt) value.

I think I may have cracked this anyway - I need to call the $passwordtostore value from the DB to use as the salt rather than the posted value. I'll let you know if this works.
 

phpasks

New Member
Messages
145
Reaction score
0
Points
0
You can use this encoded & decode function

http://www.phpasks.com/articles/phpencodeanddecodefunction.html

PHP:
<?php
// Encode function starts here
    
     function encode($_text, $_IV = 3, $_ENCRYPT_KEY = "z1Mc6KRxA7Nw90dGjY5qLXhtrPgJOfeCaUmHvQT3yW8nDsI2VkEpiS4blFoBuZ") 
    { 

        if (is_numeric($_IV)) { 

            $_IV = intval($_IV); 

            if ($_IV < 1) 
                $_IV = 1; 
            else 
              if ($_IV > 500) 
                  $_IV = 42; 

        } else { 

            $_IV = 3; 
        } 

        $_text .= ' '; 

        $_arr1 = stringSplit($_ENCRYPT_KEY); 
        $_arr2 = $_arr1; 

        foreach ($_arr1 as $_i1 => $_v1) { 

            foreach ($_arr2 as $_i2 => $_v2) { 

                $_counter = ($_i2 + 1) + ($_i1 * strlen($_ENCRYPT_KEY)); 

                $_array[$_counter] = $_v1 . $_v2; 

                if ($_v1 == $_v2) 
                    $_array[$_counter] = $_v1 . '_'; 
            } 
        } 

        $_encoded = ''; 
        $_count = 0; 
        $_msgarr = stringSplit($_text); 

        foreach ($_msgarr as $_mindex => $_mvalue) { 

           If ($_mindex / 2 <> ceil ($_mindex / 2)) { 

                $_masc = ord($_mvalue) - 31; 
                $_masc = $_masc + (ceil($_count * $_IV / 3) + $_IV); 
                $_count++; 
                if ($_count > 12) 
                    $_count = 0; 
                $_encoded .= $_array[$_masc]; 

            } else { 

                // No need to get around str_rot13 bug here since $_mvalue is 
                // not being referenced after this point & will get overriden. 
                $_encoded .= str_rot13($_mvalue); 
            } 
        } 

        return $_encoded; 
    } 

    // Encode function ends here
    // Decode function starts here

    function decode($_text, $_IV = 3, $_ENCRYPT_KEY = "z1Mc6KRxA7Nw90dGjY5qLXhtrPgJOfeCaUmHvQT3yW8nDsI2VkEpiS4blFoBuZ") 
    { 
        $_count = 0; 

        if (is_numeric($_IV)) { 

            $_IV = intval($_IV); 

            if ($_IV < 1) 
                $_IV = 1; 
            else 
              if ($_IV > 500) 
                  $_IV = 42; 

        } else { 

            $_IV = 3; 
        } 

        $_arr1 = stringSplit($_ENCRYPT_KEY); 
        $_arr2 = $_arr1; 

        foreach ($_arr1 as $_i1 => $_v1) { 

            foreach ($_arr2 as $_i2 => $_v2) { 

                $_counter = ($_i2 + 1) + ($_i1 * strlen($_ENCRYPT_KEY)); 
                $_array[$_counter] = $_v1 . $_v2; 
                if ($_v1 == $_v2) 
                    $_array[$_counter] = $_v1 . '_'; 
            } 
        } 

        $_array = array_flip($_array); 
        $_msgarr = stringSplit($_text, 3); 

        $_decoded = ''; 

        foreach ($_msgarr as $_mvalue) { 

            // $_tmp_hold used to get around a possible PHP bug in versions 
            // earlier than 4.3.0. The variable passed in function might change. 
            $_tmp_hold  = $_mvalue; 
            $_decoded  .= str_rot13($_tmp_hold{0}); 

            $_ivalue = $_array[substr($_mvalue, 1, 2)]; 
            $_ivalue = $_ivalue - (ceil($_count * $_IV / 3) + $_IV); 
            $_count++; 
            if ($_count > 12) 
               $_count = 0; 

            $_masc = chr($_ivalue + 31); 
            $_decoded .= $_masc; 
        } 

        return trim($_decoded); 
    } 
        // Decode function ends here
?>
 

freecrm

New Member
Messages
629
Reaction score
0
Points
0
WOW - thats complex...

Certainly a step up from crypt().. ;)

I do think though that this is two-way?, whereas crypt() cannot be two-way as each encryption process outputs a different string with automated salt.

This is why I need to access the original stored salt before I can then encrypt the login posted password and compare that with the database entry.

Thanks for the efforts though guys/gals.
Edit:
However, I'm not familiar with the shal() function...

Oops - sorry - this is encoded - just read up on it... :happysad:

Thanks for the help
 
Last edited:

welch

New Member
Messages
18
Reaction score
0
Points
0
$encryptedvalue = md5($whatever_you_want_to_encrypt);

that makes a 32 bit one way hash
 

mattura

Member
Messages
570
Reaction score
2
Points
18
No need to over complicate things, as you said:
Registration process:

1) User enters password/ password inserted to DB (needs encryption)
2) system sends e-mail to user with validation link and confirmation of password (probably an un-encrypted copy).

3) user re-enters password on validation page (encrypted entry to be compared with DB entry)
Login:

User enters username/password
encrypted password entry needs to be compared with encrypted version in DB
So generate a random string (try uniq), let's call it $pass, create a salt string (for added security with weak passwords)
PHP:
$salt = "*saltilicious*XxX";
$hash = md5($salt.$pass);
store $hash in your database and send an email which shows $pass (unencrypted)
When user logs in, hash the password they typed in (with the salt, as above) and compare this to the value in the database.

You can allow the user to change password at this point (or after), just make sure you overwrite the database password with the salted hash of the new password!
 
Last edited:

Scoochi2

New Member
Messages
185
Reaction score
0
Points
0
The best way is also the way that has already been said, and is also the simplest. :)
When hashing, you do not need to provide a salt [...]. However, when comparing a hash, you should pass the entire result of the first hash as the salt.
[...]
Basically, save the results of the first crypt and then use that result when you use crypt again to compare the password to what is already saved.
Just run the following on it's own and look at the results. Study it well, you'll see how it works :)
PHP:
<?php
$password1  = 'password';
echo "original password: <b>$password1</b><br>";
$pass1_crypt = crypt($password1);
echo "crypted password: <b>$pass1_crypt</b><br><br>";

$password2 = 'password';
echo "second password: <b>$password2</b><br>";
$pass2_crypt = crypt($password2);
echo "second crypted password: <b>$pass2_crypt</b><br><br>";

$password3 = 'Password';
echo "third password: <b>$password3</b><br>";
$pass3_crypt = crypt($password3);
echo "third crypted password: <b>$pass3_crypt</b><br><br>";

$pass2_crypt2 = crypt($password2,$pass1_crypt); // the second parameter is the salt. It is randomly generated if not specified.
echo 'second password is shown crypted on the next line, using first crypted password as a salt. It should be exactly the same as the first crypted password<br>'.$pass2_crypt2.'<br><br>';

$pass3_crypt2 = crypt($password3,$pass1_crypt);
echo 'third password is shown crypted on the next line, using first crypted password as a salt. It should NOT match the first crypted password, as it is a different string (p is a capital!)<br>'.$pass3_crypt2.'<br><br>';

// now we compare...
if ($pass2_crypt2 == $pass1_crypt)
echo 'first and second passwords match.';
else echo 'first and second passwords do not match!';

echo '<br>';

if ($pass3_crypt2 == $pass1_crypt)
echo 'first and third passwords match.';
else echo 'first and third passwords do not match!';
?>
Edit:
I have taken the liberty of using my code above. Here's the results. You will get different passwords (they're randomly generated, remember!), but the ones that should match up will still match up, and be 100% the same.
original password: password
crypted password: $1$QP2.ZD4.$wXZAW4RGKnzXK5JZ3HTnk1

second password: password
second crypted password: $1$uu5.f33.$88kfl.f1p4DbyJlr1ZBKZ.

third password: Password
third crypted password: $1$6H5.VZ3.$WGZXDBwuuKSi4wbeBscW91

second password is shown crypted on the next line, using first crypted password as a salt. It should be exactly the same as the first crypted password
$1$QP2.ZD4.$wXZAW4RGKnzXK5JZ3HTnk1

third password is shown crypted on the next line, using first crypted password as a salt. It should NOT match the first crypted password, as it is a different string (p is a capital!)
$1$QP2.ZD4.$9vfHAiY8y2heT/OhJvN5O.

first and second passwords match.
first and third passwords do not match!
 
Last edited:

freecrm

New Member
Messages
629
Reaction score
0
Points
0
OK.. you're probably not going to like me for this...

I have adapted a DW CS3 login system - most of which works but the only page I can't work out is the main login page, which contains a lot of script I don't get!

Attached...

I suspect that the line I need to amend is

PHP:
$LoginRS__query=sprintf("SELECT USERNAME, PASSWORD, LEVEL, GROUPCODE, USERTZ, USERTF FROM CONTACTS WHERE USERNAME=%s AND PASSWORD=%s",
  GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text"));

to something like

PHP:
$LoginRS__query=sprintf("SELECT USERNAME, PASSWORD, LEVEL, GROUPCODE, USERTZ, USERTF FROM CONTACTS WHERE USERNAME=%s AND PASSWORD=%s",
  GetSQLValueString($loginUsername, "text"), GetSQLValueString(crypt($password,$password) "text"));

but this doesn't make sense, because it's not using the original stored password as a salt - and it doesn't seem to make comparisons after the query has been called.

I'm at a loss... :dunno:
 

Attachments

  • login.txt
    5.6 KB · Views: 62

xPlozion

New Member
Messages
868
Reaction score
1
Points
0
i'm sorry, but i've tried looking through this, but i'm not sure exactly where you stand. also, the code is untidy and kinda hard to look though.

but i think this is what you want
PHP:
$LoginRS__query=sprintf("SELECT USERNAME, PASSWORD, LEVEL, GROUPCODE, USERTZ, USERTF FROM CONTACTS WHERE USERNAME=%s AND PASSWORD=%s",
  GetSQLValueString($loginUsername, "text"), GetSQLValueString(crypt($password,$salt) "text"));

although you _should_ consider looking into sha1, as it's more secure and i use it :D
 
Top