0

Hi There is one xml in which i am assigning the value of password that i get by third party . I want to masked in it. I want to hide that password. Code is in php. Is it possible to mask password in php ?

Pranav
  • 143
  • 1
  • 3
  • 15

5 Answers5

2

You can encrypt the password using the following:

define('SALT', 'atopsecretphrase'); 

function encrypt($text) 
{ 
    return trim(base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, SALT, $text, MCRYPT_MODE_ECB, mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND)))); 
} 

function decrypt($text) 
{ 
    return trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, SALT, base64_decode($text), MCRYPT_MODE_ECB, mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND))); 
} 

$encryptedmessage = encrypt("mypassword"); 
echo decrypt($encryptedmessage);
ajtrichards
  • 29,723
  • 13
  • 94
  • 101
1

You can hash your password with md5() or sha1()

Jeanbon
  • 61
  • 2
  • 2
    Neither md5 or sha1 should be used to hash passwords. The best option I've seen is the phpass framework http://www.openwall.com/phpass/ – hellsgate Jul 26 '12 at 13:47
0

If you need to pass the password on the best you can do is encrypt the password.

If you only need to check the password you should look at hashing. See: http://phpsec.org/articles/2005/password-hashing.html

Mex
  • 508
  • 4
  • 15
0

You could save it hashed. For example, sha1($password) will already return the same hash for the same password, but it cannot be decrypted.

That way the password is safe, and you could always take the input of the user, hash it the same way and compare his password entered with the one in the XML file.

Otherwise, another solution is the write your own encryption/decryption algorithm instead of hashing.

  • If you hashing password always remeber to salt them. http://crackstation.net/hashing-security.htm – Mex Jul 26 '12 at 13:46
  • I'm simply explaining the theory and the difference between encryption and hashing. Then if you want to get technical, both need a salt, rounds of encoding and other concerns that could make the algo weaker. For example, some encryption doesn't stack up but instead weaker the secret. But anyway... thanks for your *very* pertinent answer, you should focus on OP's problem and not my (actually decent) knowledge on obfuscation. –  Jul 26 '12 at 13:51
  • Also sha1 is no longer considered safe for password hashing. – Mex Jul 26 '12 at 13:51
  • @Mex: It's an EXAMPLE. I wrote "FOR EXAMPLE" in my comment. –  Jul 26 '12 at 13:52
  • It might only be an example, but you probably shouldn't get people into bad habits through and example. – Mex Jul 26 '12 at 14:00
  • @Max: I said he could save it hashed or create his own encryption/decryption algorithm. The choice of the method, the library, the actual implementation is up to him. I quoted `sha1()` because even if it's old, it's easy find information on internet on what it is, and how it does it - as an example. In my opinion, that's far better than an explanation on SO, BUT, I even went further than that and _explained_ the goal is something that will `always return the same hash for the same password, but cant be decrypted`. Tell me I'm wrong and Google can find you million of links. –  Jul 26 '12 at 14:14
  • `sha1()` is maybe obsolete, but it used to be -the- way so also a good starting point to start learning that stuff. I wouldn't recommend it tho, hence my post, hence my comments, hence the time wasted replying to your posts. I'm here to guide people on the good track, to understand what they are doing by themselves. An easy answer doesn't make you a better programmer, it's someone else's knowledge instead of yours. –  Jul 26 '12 at 14:20
-2

Try the following:

echo md5("password");

Will return:

5f4dcc3b5aa765d61d8327deb882cf99
Bram Verstraten
  • 1,414
  • 11
  • 24
  • md5 is no-longer considered a safe hashing function. see for example http://www.net-security.org/secworld.php?id=5648 – Mex Jul 26 '12 at 13:50
  • Thanks for the feedback. I'm still using it because the chance of getting 2 identical hashes is extremely small. – Bram Verstraten Jul 26 '12 at 13:55
  • I think Mex refers to the fact the algo has been broken before by MIT students. Actually the fact that it's a old hashing algorythm also makes it weaker, because the longer you expose a hashing algo to real world, the more time you give to super-computers to hash its entire combinations namespace and build associative key=values databases. Once you have all the possibilities, you can exploit collisions... and your day is ruined. –  Jul 26 '12 at 14:26