0

Possible Duplicate:
md5 decoding. How they do it?

There are basic encoders like sha1, md5, etc. Even though they are said to be "one-way" encoders, I found couple online tools, which can decode the encryption. I'm not an expert in security, so I need your help.

Are there any one-way encoding solutions in PHP?

Thanks

Community
  • 1
  • 1
Sherzod
  • 5,041
  • 10
  • 47
  • 66
  • 1
    `I found couple online tools, which can decode the encryption`. You found an online tool that reverses a SHA1 hash? I would be interested in seeing it. – Darin Dimitrov Dec 29 '11 at 08:40
  • Let me know if I'm wrong: http://www.stringfunction.com/sha1-decrypter.html – Sherzod Dec 29 '11 at 08:44
  • @Gumbo I'm not asking how they decode sha1, md5, etc. But rather, are there any real one-way encoders, or what's the best way to go? – Sherzod Dec 29 '11 at 08:55
  • See [here][1] for details and options [1]: http://stackoverflow.com/questions/2235158/php-sha1-vs-md5-vs-sha256-which-to-use-for-a-php-login – PurplePilot Dec 29 '11 at 08:55
  • From the page you link to _"This sha1 decrypter simply uses a database to match a message and his sha1 encrypted value. This method needs a lot of records in order to be efficient. We don't use any brut force method"_. In plain english: SHA1 is not reversible, but you can pre-calculate hashes and look it up, just as you can for any other one way hash algorithm. – nikc.org Dec 29 '11 at 09:03
  • @shershams They *are* real one-way functions. But they might not be the best choice depending on what you want to use them for. – Gumbo Dec 29 '11 at 09:05
  • @nikc I think I got it now. Any suggestions on what's the best way to go when storing users' passwords and other sensitive data? Links to useful articles? – Sherzod Dec 29 '11 at 09:09
  • @shershams [Try This](http://stackoverflow.com/questions/8619848/how-to-go-about-encrypting-user-login-passwords-for-a-website) – Grexis Dec 29 '11 at 09:13
  • 2
    @shershams For a straight-to-the-point article on how to store password, see http://codahale.com/how-to-safely-store-a-password/ (Then get a bcrypt implementation for PHP here http://www.openwall.com/phpass/) When you need to help your users create strong passwords, see XKCD http://xkcd.com/936/ – nikc.org Dec 29 '11 at 09:17
  • @nikc thanks for the resource. I will go through them first thing in the morning. Thanks! – Sherzod Dec 29 '11 at 09:22
  • @shershams So this question is no longer relevant, right? – Gumbo Dec 29 '11 at 11:21
  • "This sha1 decrypter simply uses a database to match a message and his sha1 encrypted value. This method needs a lot of records in order to be efficient. We don't use any brut force method" - that, to me, sounds like a dictionary definition of brute force reversal (and it doesn't decrypt it just looks for a known collision) – symcbean Dec 29 '11 at 13:13

1 Answers1

1

The are may options available in PHP. Is Blowfish safe enough for you? Then take a look to crypt(): http://www.php.net/manual/en/function.crypt.php It also supports SHA 256 and 512

If that is not enough for you, then you can try the Cryptography extensions available in PHP: http://www.php.net/manual/en/refs.crypto.php It offers so many options, although the HASH extension is the only one that is part of PHP core (so you don't have to compile PHP again to enable it, as you would have to do with the others).

Alfredo Castaneda Garcia
  • 1,661
  • 9
  • 17