PHP

ENCRYPT DECRYPT VERIFY PASSWORDS IN PHP

ENCRYPT PASSWORD $hash = password_hash($password, PASSWORD_DEFAULT);

PASSWORD HASH & VERIFY

01

VERIFY PASSWORD $valid = password_verify($clear, $hash);

ENCRYPT PASSWORD $secret = "SECRET-KEY"; $hash = openssl_encrypt($password, "AES-128-ECB", $secret);

OPENSSL ENCRYPT DECRYPT

02

VERIFY PASSWORD $plain = openssl_decrypt($hash, "AES-128-ECB", $secret); $valid = $clear==$plain;

NOT A GOOD IDEA! Secret key compromise = Passwords visible to hacker. Lost secret key = crippled system.

ENCRYPT PASSWORD $salt = substr(base_convert(sha1( uniqid(mt_rand())), 16, 36), 0, 14); $hash = crypt($password, $salt);

CRYPT & HASH EQUALS

03

VERIFY PASSWORD $valid = hash_equals($hash, crypt($clear, $hash));

ENCRYPT PASSWORD $salt = substr(base_convert(sha1( uniqid(mt_rand())), 16, 36), 0, 14); $hash = $salt . md5($salt . $password);

SALTED MD5

04

VERIFY PASSWORD $dsalt = substr($hash, 0, 14); $dpass = substr($hash, 14); $valid = md5($dsalt . $clear) == $dpass;