How Can I Securely Retrieve Encrypted Passwords in PHP?-PHP Tutorial-php.cn

How Can I Securely Retrieve Encrypted Passwords in PHP?

DDD

Release： 2024-12-27 12:52:13

Original

944 people have browsed it

How Can I Securely Retrieve Encrypted Passwords in PHP?

Secure Password Retrieval: Beyond Encryption and Hashing

While it's crucial to ensure data security, storing sensitive information like passwords poses unique challenges. Encrypting them for later retrieval can seem counterintuitive, as the essence of encryption lies in making data inaccessible. However, a well-defined encryption and decryption strategy can overcome this hurdle.

In PHP, you can't simply employ a hash function like bcrypt for passwords because it's a one-way conversion, rendering retrieval impossible. To address this, consider using a combination of encryption and scrambling methods that allow you to retrieve the original password while preserving its security.

A Comprehensive Encryption Solution

To securely encrypt and decrypt passwords, consider the following PHP code:

$key = 'password to (en/de)crypt';
$string = ' string to be encrypted ';

Copy after login

// Encryption
$iv = mcrypt_create_iv(
    mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC),
    MCRYPT_DEV_URANDOM
);

$encrypted = base64_encode(
    $iv .
    mcrypt_encrypt(
        MCRYPT_RIJNDAEL_128,
        hash('sha256', $key, true),
        $string,
        MCRYPT_MODE_CBC,
        $iv
    )
);

Copy after login

// Decryption
$data = base64_decode($encrypted);
$iv = substr($data, 0, mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC));

$decrypted = rtrim(
    mcrypt_decrypt(
        MCRYPT_RIJNDAEL_128,
        hash('sha256', $key, true),
        substr($data, mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC)),
        MCRYPT_MODE_CBC,
        $iv
    ),
    ""
);

Copy after login

Essential Considerations

It's important to note that the provided code encrypts information but does not authenticate the ciphertext to prevent tampering. For enhanced security, it's recommended not to rely solely on unauthenticated encryption.

Additional Resources

Explore the following resources for further insights:

https://stackoverflow.com/a/30189841/2224584
https://stackoverflow.com/a/30166085/2224584
https://stackoverflow.com/a/30159120/2224584

Caution: Encryption Key Security

Never use a "password" as an encryption key; encryption keys should be random strings.

The above is the detailed content of How Can I Securely Retrieve Encrypted Passwords in PHP?. For more information, please follow other related articles on the PHP Chinese website!