Alert icon
We're changing our privacy policy. This stuff matters.  Learn more  Dismiss

PHP Security (Part 1 - Encrypting Passwords)

Sign in or sign up now!
Alert icon
Upgrade to the latest Flash Player for improved playback performance. Upgrade now or more info.
3,290
Loading...
Alert icon
Sign in or sign up now!
Alert icon

Uploaded by on Jun 18, 2010

PHP security series. This video shows you how to make a function that encrypts a string so it is almost impossible to decrypt. Uses salts, SHA1, and MD5.

  • likes, 1 dislikes

Link to this comment:

Share to:

Uploader Comments (shanetalbert)

  • What is the fault?

    function enc($string){ $salt = "IkHoUvAnGoEdEVrIeNdEn12345678­909887665432321"; $hash = sha1(md5($salt.$string)).$md5(­$string).sha1(md5(md5($string)­)); return $hash;

    SuperDragonia 4 months ago

  • @SuperDragonia you have extra hyphens in there. Also, there appears to be a question mark after $hash= (when copied/pasted - you might want to check that out.) PM me if you need additional help!

    shanetalbert 3 months ago

  • To make it even more secure, I generate a new random salt for every password (using ASCII values from 33 to 126, which has a good number of special characters) and store it in the database. I generate a new salt every time the user is logging in, so the hash in the database is never the same.

    To make the string shorter, you can pass everything into MD5, it won't be less secure and will use less space in the database, only 32 chars (useful if you have lot of members)

    HCkev 9 months ago

  • @HCkev wow that sounds like a pretty secure method, however i dont think anyone watching youtube tutorials about this will need that level of security (probably only large businesses / critical info), and takes a somewhat powerful server to handle that too. but thanks for the info, i'd love to try to build something like that one day.

    shanetalbert 9 months ago

  • can anyone make another script and use the same code as this but change it to decrypt it, Or is it made to only work with the current system your using

    computertrick 1 year ago

  • @computertrick Well, not really. It would take a lot of code to take a hashed string, run it through a function like this, and then get plain text from it. You would have to separate md5 from sha1 from the salts, which is near impossible. I dont think anyone could decrypt a has from this.

    shanetalbert 1 year ago

see all

All Comments (18)

Sign In or Sign Up now to post a comment!

  • @BKoehler65 It's quite easy, you need to encode the password specified in the form, and compare it to the hashed password stored in the database. If the two hashes are not identical, then it's the wrong password.

    HCkev 9 months ago

  • I have a quick question. I am rather new to setting up php logins, and I was wondering if it would be possible to get a tutorial on actually placing the enc function into the login system. I think it would be good to see it in a real world application.

    BKoehler65 1 year ago

  • @RavenRof Yeah that would work too, but could also be cracked (some rainbow tables have common salts added), If you want to make it simple & secure & fast, you could do something like md5("FIRSTSALT".$password."SAL­T2");

    shanetalbert 1 year ago

  • @shanetalbert yeah, using just md5 or sha1 would be a bad idea. but SALTing a passphrase and md5'ing it would ruin all the rainbowtable cracking. And alot less cpu cycles i believe. So... md5("Strong Passwrod" . "S@LT||\|G") = done. What's your opinion on this?

    RavenRof 1 year ago

Loading...

Alert icon
0 / 00Unsaved Playlist Return to active list
    1. Your queue is empty. Add videos to your queue using this button:
      or sign in to load a different list.
    Loading...Loading...Saving...
    • Clear all videos from this list
    • Learn more