crypt password storage and retrival php

Question

I am trying to set up a secure login & register system using crypt() as I have read that that is php's stored function for bcrypt

I am registering a user but taking their password and and then crypting it.

$hashed_password = crypt($mypassword);

I then store $hashed_password in the db

then when the user logs in I am trying to match the password to whats stored.

I found this function on php.net but cant get it to work

$password is the stored crypted password and $mypassword is the users input

if ($password == crypt($mypassword, $password)) {
    echo "Success! Valid password";
}

I understand that crypt generates a unique hash each time its called so I dont understand how the function can work.

Am I completeley missing the point as I read that crypt() is a one function and decrypt does not exist?

any help greatly appreciated in not only showing the error of my ways but also in completing this secure login

Answer 1

You're using second parameter in your crypt() call, so it's treated as salt. To compare properly, you can use:

if ($password == crypt($mypassword)) 
{
    echo "Success! Valid password";
}

But PHP provides native functionality for hashing routines - it is introduced if 5.5 version and called password hashing.

For PHP versions below 5.5 down to 5.3.7, there is a backported compatibility function that does the same: https://github.com/ircmaxell/password_compat Just include it and use it.

But note that you have to read the hashed password from the database and then compare it with PHP. You cannot query the database with a newly created password hash to find the user.

Answer 2

Assuming that the encrypted password from the database is $db_pass and the entered password is $new_pass. Then here's how you test it:

if($db_pass === crypt($new_pass)){
    echo "Success!";
}

This post will help...

Answer 3

Assuming the current database is reading the password, all we have to do is:

} elseif (crypt($pass, $row['pass']) == $row['pass']) {

Answer 4

There are few steps you need here..this tutorial will help however: http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL

Essentially you want to have the password encrypted in the database - eg. so if the password as 'mypassword' it would be stored in some random string like '3ifdgk5ty=-dlsfs'.

Read up on sha1 (md5 is no longer considered secure). Never used crypt myself however sha1() seems to do the job for me when used in conjunction with a salt (an additional text string added to the password to make it harder to break hack)

Answer 5

You can not decrypt it, because hash is one way. So you can not obtain the original input via hash. You can not reveal users passwords even if you have access to the database.

It is being used like this: user writes password into input -> submits form -> password goes into database like following:

sha1($_POST['password']);

then you store this hashed password in database.

Whenever user wants to log in, he submits form again and it does this logic ($result['password']) comes from the database query:

if(sha1($_POST['password']) == $result['password']) {
  //password match, so lets log you -> set sessions, cookies and so on
}