Two way encryption with PHP - some libraries for doing this?

Hi All,

Up until now I have been storing passwords in the database as an sha1 hash.
I like doing it this way, but a problem arises with people who forget their
passwords - I cannot retrieve it for them.

The simplest option would be cleartext passwords. Easy enough. But what I
would prefer to do is some sort of two-way encryption, so I can encrypt the
passwords, store them in the database, and then get them back. Are there
any PHP libraries out there that can do this? I have thought about rolling
my own, but do not want to duplicate somebody else's effort.

A cursory look for this sort of thing returned only one-way (hashing)
encryption techniques. This leaves me back where I was, having to reset
users passwords, rather than emailing it back to them.

I am not running a banking application here, so I am not too paranoid about
security. But, it would be nice to have some reasonable level of encryption
that is harder than rot13 to break.

Thoughts?

-Josh

http://us2.php.net/manual/en/ref.mcrypt.php


"Joshua Beall" <jbeall@donotspam.remove.me.heraldic.us> wrote in message news:<_tAic.65561$L31.5100@nwrddc01.gnilink.net>.. .
> Hi All,
>
> Up until now I have been storing passwords in the database as an sha1 hash.
> I like doing it this way, but a problem arises with people who forget their
> passwords - I cannot retrieve it for them.
>
> The simplest option would be cleartext passwords. Easy enough. But what I
> would prefer to do is some sort of two-way encryption, so I can encrypt the
> passwords, store them in the database, and then get them back. Are there
> any PHP libraries out there that can do this? I have thought about rolling
> my own, but do not want to duplicate somebody else's effort.
>
> A cursory look for this sort of thing returned only one-way (hashing)
> encryption techniques. This leaves me back where I was, having to reset
> users passwords, rather than emailing it back to them.
>
> I am not running a banking application here, so I am not too paranoid about
> security. But, it would be nice to have some reasonable level of encryption
> that is harder than rot13 to break.
>
> Thoughts?
>
> -Josh

Hi Joshua,

two possible solutions:

1) have people remember their passwords or they will have to live with
new ones.
2) or start up a bank. :)


P.S. You may wanna store passwords in plaintext since you are not
running a bank. If the database gets compromised the attacker will
very likely not be interested in your passwords (since s/he already
posesses system wide access)

Best Regards,

Lucas


"Joshua Beall" <jbeall@donotspam.remove.me.heraldic.us> wrote in message news:<_tAic.65561$L31.5100@nwrddc01.gnilink.net>.. .
> Hi All,
>
> Up until now I have been storing passwords in the database as an sha1 hash.
> I like doing it this way, but a problem arises with people who forget their
> passwords - I cannot retrieve it for them.
>
> The simplest option would be cleartext passwords. Easy enough. But what I
> would prefer to do is some sort of two-way encryption, so I can encrypt the
> passwords, store them in the database, and then get them back. Are there
> any PHP libraries out there that can do this? I have thought about rolling
> my own, but do not want to duplicate somebody else's effort.
>
> A cursory look for this sort of thing returned only one-way (hashing)
> encryption techniques. This leaves me back where I was, having to reset
> users passwords, rather than emailing it back to them.
>
> I am not running a banking application here, so I am not too paranoid about
> security. But, it would be nice to have some reasonable level of encryption
> that is harder than rot13 to break.
>
> Thoughts?
>
> -Josh