0

I'm building the login part of a CodeIgniter app using the simple login class as the starting point. It's all working fine, but I'm unsure of the differences between the encryption types, and which to use.

I've gone for using the crypt() function with the user's password as the salt (via md5), like so:

$pass == crypt($_POST['login_password'], md5($_POST['login_password']))

Is this method ok, or is there a glaring error in that approach? This seems secure as neither password or salt are stored in the database. Or is it a bit obvious?

Thanks in advance.

Improve this question
1
  • Might want to fix your link ;) Commented Nov 16, 2010 at 20:26

4 Answers 4

Reset to default
3

http://php.net/manual/en/faq.passwords.php

This is the correct way to implement passwords.

Everything below is irrelevant.

With what you have right there, a simple

$pass = md5($_POST['login_password'] . "somerandomchars");

will suffice in most cases unless a high degree of security is required.

If you're using CodeIgniter I highly suggest looking into the TankAuth authentication plugin.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Hi @castis! thanks for your answer. I started off with just using an md5 hash, but was under the impression a salt should be used to prevent the use of rainbow tables? Thanks for the link, looks good, i'll check that out.
Yeah, you should definitely use a salt for securing passwords. Take a look at this other SO entry. stackoverflow.com/questions/401656/…
Ah yeah that looks like a pretty thorough thread. Thanks, green tick on the way...
3

There's also the built-in encryption library provided by codeigniter. You provide the "salt" in your config (application/config/config.php) $config['encryption_key']

Even though it can be "decrypted", it is quite secure:

$this->load->library('encrypt'); //encryption $pass = $this->encrypt->encode($this->input->post('login_password'));
Improve this answer

3 Comments

The only issue here is that if you're worried about security, if someone gets far enough into your system to get ahold of database records. Chances are they can find an encryption key as well, at which point: all those passwords are easily reversible through CI's encryption library. Always hash passwords, never encrypt them.
Encrypt is pointless as it can be decrypted. md5 hashes at least have to be cracked, but using a salt and maybe even sha1 instead makes things muh safer.
I agree that hashing a password is considered the more secure method. What I like about the CI encryption library is that the word "password", when encrypted, produces a different string every time; making it much more difficult to crack if you only have the database files.
1

In modern applications, website password aren't stored using crypt. Using the hash value with a salt is much safer (if someone breaks into your db, no password is there. only the hash of the password is which they can't use to log in) and crypt really isn't very secure. Unfortunately MD5 has issues too so I would suggest using SHA512 as a hash.

Improve this answer

Comments

1

use $pass = do_hash($this->input->post('password')); and include security_helper into your autoload.php

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.