Welcome!

By registering with us, you'll be able to discuss, share and private message with other members of our community.

SignUp Now!
  • Guest, before posting your code please take these rules into consideration:
    • It is required to use our BBCode feature to display your code. While within the editor click < / > or >_ and place your code within the BB Code prompt. This helps others with finding a solution by making it easier to read and easier to copy.
    • You can also use markdown to share your code. When using markdown your code will be automatically converted to BBCode. For help with markdown check out the markdown guide.
    • Don't share a wall of code. All we want is the problem area, the code related to your issue.


    To learn more about how to use our BBCode feature, please click here.

    Thank you, Code Forum.

PHP How to encrypt AND decrypt passwords?

JosiahMaybe

Gold Coder
Okay so I use openssl_encrypt and openssl_decrypt but that just sounds like it depends on SSL certificates and since they only last a year, how am I supposed to encrypt and decrypt passwords? I know password_hash won't work because I need to get origin again. Also, unsure what happens if I use 256 bit based things on a 256+ size password, do I need to limit origin size? Obviously yes to an extent but what would be possible? X E.
 
Solution
These are just SSL utility functions that require no certificates.
Not sure why you think the encryption bit size is related to the byte size of the data encrypted ? It isn't. And anyway, are you honestly thinking of using passwords of that size ?
These are just SSL utility functions that require no certificates.
Not sure why you think the encryption bit size is related to the byte size of the data encrypted ? It isn't. And anyway, are you honestly thinking of using passwords of that size ?
 
Solution
Okay so I use openssl_encrypt and openssl_decrypt but that just sounds like it depends on SSL certificates and since they only last a year, how am I supposed to encrypt and decrypt passwords? I know password_hash won't work because I need to get origin again. Also, unsure what happens if I use 256 bit based things on a 256+ size password, do I need to limit origin size? Obviously yes to an extent but what would be possible? X E.
Love the idea, however, that may not be feasible if you're gonna store those credentials.
 
Yes I have to store these passwords. It would be for user defined passwords and AES-256-CBC I think is what I would be using. Just to be sure, encryption and decryption work same regardless of which certificate I have, right? Also, for that encryption I would like to know what is a sane upper bound for a password. It would be stored as a hash in paddle.com's API stuff, custom_data. I legitimately can set almost any size other than infinity and obviously I should not have excessive storage for that. X E.
 
Because I need to get those passwords back unencrypted eventually and password_hash seems to not have support for that. I would be doing like on recovery attempt email out unencrypted password. Seems like a bad idea but it reduces space needed. X E.
 
Sorry for the delay. This seems like a horrible idea to me. The entire point of the password hashing is that it's a one way street.

Also in my opinion, you should never email passwords in plain text. You are opening up a big security hole.
 
Sorry for the delay. This seems like a horrible idea to me. The entire point of the password hashing is that it's a one way street.

Also in my opinion, you should never email passwords in plain text. You are opening up a big security hole.
I agree. Implementing "password recovery" by mailing back the original unencrypted password is a Seriously Bad Idea. Which is why nobody ever does that. Send back a link that the user can use to set a new password.
 
Back
Top Bottom