开发者

Encryption within native PHP and PERL

开发者 https://www.devze.com 2023-01-30 09:31 出处:网络
I am looking for a way to insert encrypted passwords into a database (MySQL) that I can decrypt later. I\'ve done research and I\'ve came to the conclusion that bcrypt would be the more secure way to

I am looking for a way to insert encrypted passwords into a database (MySQL) that I can decrypt later. I've done research and I've came to the conclusion that bcrypt would be the more secure way to store passwords, but then I can't get them back, and it's important that I know th开发者_开发问答eir passwords in case I need to login to their system (I don't want to rely on IP authentication).

http://php.net/manual/es/function.mcrypt-cbc.php has some good examples of using a library for encryption on both PHP and PERL, but PERL requires an additional library and PHP needs to be a certain version.

I am looking for a solution that has ability to run on PERL and PHP natively (no additional libraries) with versions that atleast a year old. No PHP 5.3 functions or anything of the like.

The system only has 100 or so users, so there isn't a huge risk of someone even getting access to the database, but just incase I want some kind of protection. If need be, I would be OK with having to add a library to PERL, but I can't really be picky with a PHP library or require PHP version higher than 5.0


If you're using MySQL you may want to look into using mysql functions such AES_ENCRYPT/AES_DECRYPT:

http://dev.mysql.com/doc/refman/5.1/en/encryption-functions.html


Using a standard hashing function (e.g. one of the sha versions) does mean that you can't get the password back but it doesn't mean you can't log in to their system.

Just update the password hash in the database with a known one (e.g. update user set password = sha1('password') etc), log in, then update the password back to the old hash. You're in, and their password is back to how it was.

If you're encrypting and decrypting, then the keys will need to be on the server; if you're compromised, the attacker will have access to the keys as well, so you might as well leave the passwords unencrypted if you're not going to hash them.


Just hash the passwords using SHA256 or SHA512. It should be enough. Now, you said you want to know their passwords so you can login into their account. You, as the administrator, should have the ability to login as the user without knowing their passwords.

If you need to login as the user then I am guessing you need to change something? Well, an administrator should be able to change users data without having to be logged in as them...

So I can only say fix your system.

0

精彩评论

暂无评论...
验证码 换一张
取 消