how to use mcrypt decryption

Question

i have made a login and register page. but my passwords aren't encrypted yet. people told me that's a bad idea and that i should encrypt them. so i have been searching around on how to encrypt and decrypt my passwords. i have found an example on how to encrypt my passwords but i do not know how to decrypt it again for my login page. here is my encrypt code:

$key = "some random security key";
$input = $password;

$td = mcrypt_module_open('tripledes', '', 'ecb', '');
$iv = mcrypt_create_iv (mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
mcrypt_generic_init($td, $key, $iv);
$password = mcrypt_generic($td, $input);
mcrypt_generic_deinit($td);
mcrypt_module_close($td);

so my question is: can someone tell me what codes i need to decrypt the strings i get from the code above.

Answer 1

You can encrypt and decrypt stuff like this:

//this is some config for a good security level of mcrypt
define('SAFETY_CIPHER', MCRYPT_RIJNDAEL_256);
define('SAFETY_MODE', MCRYPT_MODE_CFB);

//this has to be defined somewhere in the application.
define('APPLICATION_WIDE_PASSPHRASE', 'put-something-secure-here');
define('ENCRYPTION_DIVIDER_TOKEN', '$$');

//some "example" data as if provided by the user
$password = 'this-is-your-data-you-need-to-encrypt';

//this key is then cut to the maximum key length
$key = substr(md5(APPLICATION_WIDE_PASSPHRASE), 0, mcrypt_get_key_size(SAFETY_CIPHER, SAFETY_MODE));

//this is needed to initialize the mcrypt algorythm
$initVector = mcrypt_create_iv(mcrypt_get_iv_size(SAFETY_CIPHER, SAFETY_MODE), MCRYPT_RAND);

//encrypt the password
$encrypted = mcrypt_encrypt(SAFETY_CIPHER, $key, $password, SAFETY_MODE, $initVector);

//show it (store it in db in this form
echo base64_encode($initVector) . ENCRYPTION_DIVIDER_TOKEN . base64_encode($encrypted) . '<br/>';

//decrypt an show it again
echo mcrypt_decrypt(SAFETY_CIPHER, $key, $encrypted, SAFETY_MODE, $initVector) . '<br/>';

But as stated before, passwords should not be recoverable from their hashed representation, so don't do this for passwords!

Answer 2

You should not try to decrypt passwords just compair the hashed passwords.

By the way if you do that in the right way it is impossible to restore the original password. You should also add a so called salt to make the password more complex.

Answer 3

I see you're a bit confused with how this works. Read this article and you'll come to know all about encryption, decryption, hashing and their use in a login system. http://net.tutsplus.com/tutorials/php/understanding-hash-functions-and-keeping-passwords-safe/

So basically, you hash a password into a hexadecimal string on registration and store it in the database. Each time the user wants to login you take his current i/p password, hash that and store it in a variable like $temp.

Now, you retrieve the original password's hash from the server and simple compare the two hashes.

...if they're same then access granted!

The many reasons you don't want to keep encrypting and decrypting a password are as follows:

• When being passed to the server the user entered password is in plain text or can be easily stolen/sniffed.
• The server has to compute the process of decrypting the password stored in the database each time it is required, as opposed to hashing where we just do a logical compare.
• If the file containing the encyption algorithm is compromised w/ the database, all passwords are lost in plain text. As users may use same passwords on multiple sites, the threat is extended.