Reversable Encryption OR Storing Passwords online

PoorDoggie · 05-20-2006, 11:18 AM

I need to store people's passwords online in a mysql database. The point is that they need to be able to be "got back".

ie: user x logs in and then it gets another of his passwords that he gave us, from a mysql database.

obviouslly to bring up the the second password it means that I can't store it in md5 format because that is irreversible (i think).

Is there any way of making those passwords secure with the option of getting them back?

Thanks
Tom

Shorty · 05-20-2006, 12:53 PM

Simple answer: It's impossible to "securely" encrypt a password.

Your best bet is doing lots of string manipulation algorithms, and then doing the reverse when looking to get them back. Discover an efficient and reversible way to store passwords securely and they'll give you a Nobel prize.

Xonium · 05-20-2006, 12:58 PM

What are those second passwords used for?

sdsinc · 05-21-2006, 06:43 AM

Tom,

I will give you my suggestion: use non-reversible password hash (with md5 or sha1), if user forget their password, instead of sending a reminder to their E-mail assign a new one.
It's quite easy: you generate a random string, make a hash of it, update the record and send the random string to their E-mail as new password. (I assume you site has a way for users to change their password to something else if they wish).

PoorDoggie · 05-21-2006, 09:25 AM

Originally Posted by Xonium

What are those second passwords used for?

I cannot tell you, but for instance, lets say that Ebay had an api which meant that I could get a user's information off their servers and ebid also have a site which could do that too. I would make a website that would allow users to manage their ebay and ebid accounts in one place. This would require me to store their ebay and ebid usernames and passwords.

I have spoken to my host and they assure me that their servers are highly secured, and are behind firewalls only allowing requests through from MY site, but I just wanted some added piece of mind. I am working on string manipulation techniques though.
????: NamePros.com http://www.namepros.com/programming/199278-reversable-encryption-or-storing-passwords-online.html

Thanks
Tom

nasaboy007 · 05-21-2006, 11:45 AM

well i did something like this recently, but its reallly slow and unoptimized cuz i just made it for the idea rather than for optimization.

http://www.namepros.com/programming/...ml#post1172402

also, i dont know how u wud determine the "key" string just by the password. unless u count the number of chars in the password and use that number as ur "key" value.

then to decode it, i guess u cud count the number of chars in each and have an algorithm that can determine the number of times something was base64ed (or w/e) and undo it... its a blurry idea, and i dont even know if it can be done, but its worth a try.

abdulmueid · 05-21-2006, 04:26 PM

nasaboy007: That script is quite neat indeed but the problem is that base64 is reversible, very easily so if someone gets access to the database with base64 encoded passwords, it will be easy to decode them.
????: NamePros.com http://www.namepros.com/showthread.php?t=199278

PoorDoggie: If I were you and I wanted some serious security with the passwords, I would let the users have numerical passwords only and manipulate them using a custom algorithm. The algorithm would be made up of reversible mathematical functions i.e. sin/cos, exponential formulas, etc in an ordered sequence which only you/coder knows. The final result would then be saved in the database.

And really, If I had the time to read-up my old textbooks and do some coding, I would've followed the above method myself.

PoorDoggie · 05-22-2006, 10:43 AM

hmm, the problem is that the passwords I am storing are for external websites, and people may not want to have a compeletely numerical password.

Can anyone think of a way of converting a string completely to a numerical value? You could use place in the alphabet (ie: a=1 b=2 ... z=26) but then again, there is no way to distinguish between text and real numbers and parts of text (eg: 26 could be either "z" or "bf")

hmm... any ideas?

Unless anyone comes up with anything better than this, then this will do.

I really would like to try out encrypting, and will get started on a script to try and reversibly encrypt a string.

Tom

Originally Posted by nasaboy007

well i did something like this recently, but its reallly slow and unoptimized cuz i just made it for the idea rather than for optimization.

http://www.namepros.com/programming/...ml#post1172402

also, i dont know how u wud determine the "key" string just by the password. unless u count the number of chars in the password and use that number as ur "key" value.
????: NamePros.com http://www.namepros.com/showthread.php?t=199278

then to decode it, i guess u cud count the number of chars in each and have an algorithm that can determine the number of times something was base64ed (or w/e) and undo it... its a blurry idea, and i dont even know if it can be done, but its worth a try.

Shorty · 05-22-2006, 11:19 AM

Code:

$replacethis[0] = '/a/i';
$withthis[0] = '1.';
	
$replacethis[1] = '/b/i';
$withthis[1] = '2.';

// All the way up to:
$replacethis[25] = '/z/i';
$withthis[25] = '26.';

$encryptedpass = preg_replace($replacethis, $withthis, $password); 

// So if $password contains abz
// $encryptedpass is 1.2.26.

And that's that, to convert back you just do:
????: NamePros.com http://www.namepros.com/showthread.php?t=199278

Code:

$replacethis[0] = '/1./i';
$withthis[0] = 'a';

$replacethis[1] = '/2./i';
$withthis[1] = 'b';

// All the way up to:

$replacethis[25] = '/26./i';
$withthis[25] = 'z';

$originalpass = preg_replace($replacethis, $withthis, $encryptedpass);

Bear in mind you will want to create replacements for non alphanumeric letters too. And the "i" tagged on the end of the $replacethis array means it will replace both a & A, non case sensitive.

Hope that helps a bit.

MrBarby · 05-22-2006, 11:35 AM

Try something like RC4... its pretty secure:
http://www.phpclasses.org/browse/file/14074.html

Also look at the mcrypt function on PHP.net.

As long as the server is 'unhackable' then you're fairly secure, even if the SQL is flakely and has allowed someone to dump the table.
????: NamePros.com http://www.namepros.com/showthread.php?t=199278

Originally Posted by Shorty

Code:

$replacethis[0] = '/a/i';
$withthis[0] = '1.';
	
$replacethis[1] = '/b/i';
$withthis[1] = '2.';

// All the way up to:
$replacethis[25] = '/z/i';
$withthis[25] = '26.';

$encryptedpass = preg_replace($replacethis, $withthis, $password); 

// So if $password contains abz
// $encryptedpass is 1.2.26.

And that's that, to convert back you just do:

Code:

$replacethis[0] = '/1./i';
$withthis[0] = 'a';

$replacethis[1] = '/2./i';
$withthis[1] = 'b';

// All the way up to:

$replacethis[25] = '/26./i';
$withthis[25] = 'z';

$originalpass = preg_replace($replacethis, $withthis, $encryptedpass);

Bear in mind you will want to create replacements for non alphanumeric letters too. And the "i" tagged on the end of the $replacethis array means it will replace both a & A, non case sensitive.

Hope that helps a bit.

PoorDoggie · 05-22-2006, 12:16 PM

hey, did have a go!

see if anyone can crack this: http://www.6yd.net/encryption/

in fact, I am so confident that no-one can crack it, I am willing to bet ALL my NP$ that no-one can!

(now am off to revise!

bye!)

abdulmueid · 05-22-2006, 03:18 PM

PoorDoggie: I am pretty sure that site is using the MCRYPT hash to encode and decode the string. I did little reading on that, it is actually better than base64 in my opinion since you need a "key" to unlock the cipher. Pretty smart stuff.

www.php.net/mcrypt

nasaboy007 · 05-22-2006, 03:41 PM

oh yeah mcrypt...

ohhh now i remember y i didnt use that. it was simply for the sake that i didnt wanna install the mcrypt stuff since it didnt come standard.

if u wanna go with the convert-to-number-and-perform-math-algorithm i suggest u convert to binary (or some other base, i just like binary hehe) and then do it. google "php text to binary converter" and the first hit should have the source of their script posted up there. use that as a guideline if u dont noe where to start.

PoorDoggie · 05-22-2006, 04:20 PM

its not using mcrypt - but I will look into it!

Shorty · 05-22-2006, 05:17 PM

The point is, if you use a standard cypher then anybody can use a standard decypher. There isnt much point in it, if someone wants a password thats encrypted rather than hashed, they can easily get it.

Jim_ · 05-22-2006, 05:25 PM

Here's an idea: Encrypt/decrypt the passwords with blowfish using a secret key. Just make sure you encrypt the portion of php code where you declare the key using a fancy encoder.

**-Nick-** · 05-23-2006, 12:28 AM

write your own function to encrypt andd decrypt this passwords. Even a simple algo will be very hard to guess for a guy who knows nothing about it.

If you want some ready made algos then let me know I have written some for my personal use on my websites.

nasaboy007 · 05-23-2006, 02:26 PM

noob question: whats the difference between an encryption and a hash? why is one more secure than the other? is it in the way they are made?

abdulmueid · 05-23-2006, 02:53 PM

nasaboy007: Hash means one way encryption and encryption is, well you know, encryption.

MikeBigg · 05-24-2006, 02:57 AM

How about Alexander Pukall's PC1 algorithm?

http://membres.lycos.fr/pc1/

It is not aimed specifically at passwords, but may do the trick for you.

Sources are there, but not for PHP.

I have put a simple tester program (it is a windows app) up so you can have a play and see what you think. You can get it from:

http://www.upload2go.com/pc1/pc1_tester.zip

Mike

Shorty · 05-24-2006, 07:50 AM

Originally Posted by abdulmueid

nasaboy007: Hash means one way encryption and encryption is, well you know, encryption.

Haha, well put, but let me elaborate a little.
????: NamePros.com http://www.namepros.com/showthread.php?t=199278

Hashing is a method of encryption where there isnt a way to decrypt. However, if you get your hands on a hash, you can always "brute force" it. This means basically putting into a program where it checks the hashed string against a giant list. (If you hash the same thing twice it will always have the same hashed result.)

And that is why having dictionary words as a password makes it weak. The first thing a brute forcer will do is check it against a dictionary list for a match, and then move onto number combinations.

Which means if your password is a combination of upper case, numbers, lower case and irregular characters, they would have to be running your password against a list infinitely large, which your average computer would take months or even years to crack.

PoorDoggie · 05-24-2006, 10:37 AM

Ok guys - here is the code, if you wanted to know:

PHP Code:

  <?php

 
function encrypt($str,$key){

  for($i = 0; $i < $key; $i++){

????: NamePros.com http://www.namepros.com/showthread.php?t=199278
    // we want to encrypt each letter as many times as the $key val

    $n = 0;

    $newstr = "";

    while(isset($str{$n})){

      $newstr .= "!".base64_encode($str{$n});

      $n++;

    }

    $str = base64_encode($newstr);

  }

  return $str;

}

 
function decrypt($str,$key){

  for($i = 0; $i < $key; $i++){

    $str = base64_decode($str);

    $n = 0;

    $newstr = "";

    $bits = explode("!", $str); // we have split the string into seperate letters

    $fullstr = "";

    while(isset($bits[$n])){

      // decode a letter at a time

      $letter = base64_decode($bits[$n]);

      $fullstr .= $letter;

      $n++;

    }

    $str = $fullstr;

  }

  return $str;

}

 
if(isset($_POST['key']) && isset($_POST['str']) && isset($_POST['mode']) && ($_POST['mode'] == "encrypt" || $_POST['mode'] == "decrypt")){

  // we have vars

  $key = $_POST['key'];

  $str = $_POST['str'];

  $str = str_replace("!","",$str);

  $mode = $_POST['mode'];

  ?>

    <table>

      <tr>

        <td><textarea style="width: 850; height: 400" onFocus="this.select()"><?php if($mode == "encrypt"){ echo encrypt($str,$key); } else { echo decrypt($str,$key); } ?></textarea></td>

      </tr>

    </table>

  <?php

    }

    else{

  ?>

  

    <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>" onSubmit="if(key.value>10){alert('Sorry, please keep the value of the key below 5, thanks.');key.value='5'};">

    

      String: <input name="str" /><br />

      KeyVal: <input name="key" /><br />

      Mode:&nbsp;&nbsp; <select name="mode"><option value="encrypt">Encrypt</option><option value="decrypt">Decrypt</option></select><br />

      Submit: <input type="submit" value="Do it!" />

    

    <form>

  

  <?php

}

????: NamePros.com http://www.namepros.com/showthread.php?t=199278
 
?>

storing keys in a seperate database may make it more secure or you could write some algorithm for storing the "key". Key in this case just means how many times you want it encrypted that way.

The only point I would mention is that the longer the string and the higher the "key" the longer the resulting string and therefore will take up more space in the database.

Just a question regarding hashes... - how can they be unreversible? surely that is impossible right?

abdulmueid · 05-24-2006, 02:56 PM

PoorDoggie: Your script is basically base64 on steroids (with keys). Actually it is still possible to reverse it by trying various keys.

MD5 is a irreversible hash. There is no real way to reverse it except use methods like brute-force or dictionary attack which is basically guessing and encrypting different combinations of alphabets and numbers and matching it with the encrypted string until right combination is found.

nasaboy007 · 05-24-2006, 03:15 PM

but i dont understand, if the same cleartext input will always have the same hash, there must be SOME function/algorithm that the program is performing in order to get the hash, otherwise it would always be different. therefore, y can't sum1 just figure out this algorithm (example: that md5 uses) and just reverse it?

PoorDoggie · 05-24-2006, 03:16 PM

although potentially reversible, I am sure that that kinda encryption would be good enough for my site. I may look at mcrypt though. I thought my script was quite cool - it takes each letter of a string and base64 encodes each of them. It then keeps doing that with the latest encrypted string as many times as the "key" variable dictates. I think it would be very hard to try and decypher without the algorithm.

what is a hash exactlly? and repeating my question above, how can it be irreversible? surely if it goes one way, it can come back?

05-20-2006, 11:18 AM	THREAD STARTER #1 (permalink)
PoorDoggie Soon to be RICHdoggie! Join Date: Jan 2005 Location: UK Posts: 2,408	Reversable Encryption OR Storing Passwords online I need to store people's passwords online in a mysql database. The point is that they need to be able to be "got back". ie: user x logs in and then it gets another of his passwords that he gave us, from a mysql database. obviouslly to bring up the the second password it means that I can't store it in md5 format because that is irreversible (i think). Is there any way of making those passwords secure with the option of getting them back? Thanks Tom

05-21-2006, 06:43 AM	#4 (permalink)
sdsinc Domains my Dominion Join Date: Aug 2005 Location: Web 1.0 Posts: 9,555	Tom, I will give you my suggestion: use non-reversible password hash (with md5 or sha1), if user forget their password, instead of sending a reminder to their E-mail assign a new one. It's quite easy: you generate a random string, make a hash of it, update the record and send the random string to their E-mail as new password. (I assume you site has a way for users to change their password to something else if they wish). __________________ NameNewsletter.com - free lists of available domain names ZoneFiles.net (beta) - ccTLD and gTLD droplists

05-21-2006, 11:45 AM	#6 (permalink)
nasaboy007 Senior Member Join Date: Jul 2005 Location: NJ Posts: 1,219	well i did something like this recently, but its reallly slow and unoptimized cuz i just made it for the idea rather than for optimization. http://www.namepros.com/programming/...ml#post1172402 also, i dont know how u wud determine the "key" string just by the password. unless u count the number of chars in the password and use that number as ur "key" value. then to decode it, i guess u cud count the number of chars in each and have an algorithm that can determine the number of times something was base64ed (or w/e) and undo it... its a blurry idea, and i dont even know if it can be done, but its worth a try. __________________ Hacksar.com - Your source for random computer tips and tricks! MySiteMemberships.com - Keep track of your site registration information! Like my post? Rep is appreciated!

05-22-2006, 03:41 PM	#13 (permalink)
nasaboy007 Senior Member Join Date: Jul 2005 Location: NJ Posts: 1,219	oh yeah mcrypt... ohhh now i remember y i didnt use that. it was simply for the sake that i didnt wanna install the mcrypt stuff since it didnt come standard. if u wanna go with the convert-to-number-and-perform-math-algorithm i suggest u convert to binary (or some other base, i just like binary hehe) and then do it. google "php text to binary converter" and the first hit should have the source of their script posted up there. use that as a guideline if u dont noe where to start. __________________ Hacksar.com - Your source for random computer tips and tricks! MySiteMemberships.com - Keep track of your site registration information! Like my post? Rep is appreciated!

05-22-2006, 05:25 PM	#16 (permalink)
Jim_ NamePros Regular Join Date: Aug 2005 Location: NY, USA Posts: 610	Here's an idea: Encrypt/decrypt the passwords with blowfish using a secret key. Just make sure you encrypt the portion of php code where you declare the key using a fancy encoder. __________________ ask me about the internet

05-20-2006, 12:53 PM	#2 (permalink)
Shorty Senior Member Join Date: Sep 2005 Location: England Posts: 1,034	Simple answer: It's impossible to "securely" encrypt a password. Your best bet is doing lots of string manipulation algorithms, and then doing the reverse when looking to get them back. Discover an efficient and reversible way to store passwords securely and they'll give you a Nobel prize.

05-20-2006, 12:58 PM	#3 (permalink)
Xonium New Member Join Date: May 2006 Posts: 9	What are those second passwords used for?

05-21-2006, 04:26 PM	#7 (permalink)
abdulmueid Account Closed Join Date: Jun 2005 Location: Mozambique Posts: 607	nasaboy007: That script is quite neat indeed but the problem is that base64 is reversible, very easily so if someone gets access to the database with base64 encoded passwords, it will be easy to decode them. ????: NamePros.com http://www.namepros.com/showthread.php?t=199278 PoorDoggie: If I were you and I wanted some serious security with the passwords, I would let the users have numerical passwords only and manipulate them using a custom algorithm. The algorithm would be made up of reversible mathematical functions i.e. sin/cos, exponential formulas, etc in an ordered sequence which only you/coder knows. The final result would then be saved in the database. And really, If I had the time to read-up my old textbooks and do some coding, I would've followed the above method myself.

05-22-2006, 12:16 PM	THREAD STARTER #11 (permalink)
PoorDoggie Soon to be RICHdoggie! Join Date: Jan 2005 Location: UK Posts: 2,408	hey, did have a go! see if anyone can crack this: http://www.6yd.net/encryption/ in fact, I am so confident that no-one can crack it, I am willing to bet ALL my NP$ that no-one can! (now am off to revise! bye!)

05-22-2006, 03:18 PM	#12 (permalink)
abdulmueid Account Closed Join Date: Jun 2005 Location: Mozambique Posts: 607	PoorDoggie: I am pretty sure that site is using the MCRYPT hash to encode and decode the string. I did little reading on that, it is actually better than base64 in my opinion since you need a "key" to unlock the cipher. Pretty smart stuff. www.php.net/mcrypt

05-22-2006, 04:20 PM	THREAD STARTER #14 (permalink)
PoorDoggie Soon to be RICHdoggie! Join Date: Jan 2005 Location: UK Posts: 2,408	its not using mcrypt - but I will look into it!

05-22-2006, 05:17 PM	#15 (permalink)
Shorty Senior Member Join Date: Sep 2005 Location: England Posts: 1,034	The point is, if you use a standard cypher then anybody can use a standard decypher. There isnt much point in it, if someone wants a password thats encrypted rather than hashed, they can easily get it.

05-23-2006, 12:28 AM	#17 (permalink)
-Nick- I'll do it Join Date: Dec 2005 Location: India Posts: 6,927 Follow @keralpatel	write your own function to encrypt andd decrypt this passwords. Even a simple algo will be very hard to guess for a guy who knows nothing about it. If you want some ready made algos then let me know I have written some for my personal use on my websites. __________________ Delq\|Fhur\|Kegh\|Vhir\|Juhy\|Ruuz\|Jyos\|Jupt\|Vhek Webmaster Blog \| Software Downloads Makeup & Beauty Tips \| Sponsor Ads

05-23-2006, 02:26 PM	#18 (permalink)
nasaboy007 Senior Member Join Date: Jul 2005 Location: NJ Posts: 1,219	noob question: whats the difference between an encryption and a hash? why is one more secure than the other? is it in the way they are made? __________________ Hacksar.com - Your source for random computer tips and tricks! MySiteMemberships.com - Keep track of your site registration information! Like my post? Rep is appreciated!

05-23-2006, 02:53 PM	#19 (permalink)
abdulmueid Account Closed Join Date: Jun 2005 Location: Mozambique Posts: 607	nasaboy007: Hash means one way encryption and encryption is, well you know, encryption.

05-24-2006, 02:57 AM	#20 (permalink)
MikeBigg NamePros Member Join Date: May 2005 Posts: 102	How about Alexander Pukall's PC1 algorithm? http://membres.lycos.fr/pc1/ It is not aimed specifically at passwords, but may do the trick for you. Sources are there, but not for PHP. I have put a simple tester program (it is a windows app) up so you can have a play and see what you think. You can get it from: http://www.upload2go.com/pc1/pc1_tester.zip Mike __________________ File Hosting \| Dubious Facts Last edited by MikeBigg; 05-24-2006 at 03:04 AM.

05-24-2006, 10:37 AM	THREAD STARTER #22 (permalink)
PoorDoggie Soon to be RICHdoggie! Join Date: Jan 2005 Location: UK Posts: 2,408	Ok guys - here is the code, if you wanted to know: PHP Code: <?php function encrypt($str,$key){ for($i = 0; $i < $key; $i++){ ????: NamePros.com http://www.namepros.com/showthread.php?t=199278 // we want to encrypt each letter as many times as the $key val $n = 0; $newstr = ""; while(isset($str{$n})){ $newstr .= "!".base64_encode($str{$n}); $n++; } $str = base64_encode($newstr); } return $str; } function decrypt($str,$key){ for($i = 0; $i < $key; $i++){ $str = base64_decode($str); $n = 0; $newstr = ""; $bits = explode("!", $str); // we have split the string into seperate letters $fullstr = ""; while(isset($bits[$n])){ // decode a letter at a time $letter = base64_decode($bits[$n]); $fullstr .= $letter; $n++; } $str = $fullstr; } return $str; } if(isset($_POST['key']) && isset($_POST['str']) && isset($_POST['mode']) && ($_POST['mode'] == "encrypt" \|\| $_POST['mode'] == "decrypt")){ // we have vars $key = $_POST['key']; $str = $_POST['str']; $str = str_replace("!","",$str); $mode = $_POST['mode']; ?> <table> <tr> <td><textarea style="width: 850; height: 400" onFocus="this.select()"><?php if($mode == "encrypt"){ echo encrypt($str,$key); } else { echo decrypt($str,$key); } ?></textarea></td> </tr> </table> <?php } else{ ?> <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>" onSubmit="if(key.value>10){alert('Sorry, please keep the value of the key below 5, thanks.');key.value='5'};"> String: <input name="str" /><br /> KeyVal: <input name="key" /><br /> Mode:   <select name="mode"><option value="encrypt">Encrypt</option><option value="decrypt">Decrypt</option></select><br /> Submit: <input type="submit" value="Do it!" /> <form> <?php } ????: NamePros.com http://www.namepros.com/showthread.php?t=199278 ?> storing keys in a seperate database may make it more secure or you could write some algorithm for storing the "key". Key in this case just means how many times you want it encrypted that way. The only point I would mention is that the longer the string and the higher the "key" the longer the resulting string and therefore will take up more space in the database. Just a question regarding hashes... - how can they be unreversible? surely that is impossible right?

05-24-2006, 02:56 PM	#23 (permalink)
abdulmueid Account Closed Join Date: Jun 2005 Location: Mozambique Posts: 607	PoorDoggie: Your script is basically base64 on steroids (with keys). Actually it is still possible to reverse it by trying various keys. MD5 is a irreversible hash. There is no real way to reverse it except use methods like brute-force or dictionary attack which is basically guessing and encrypting different combinations of alphabets and numbers and matching it with the encrypted string until right combination is found.

05-24-2006, 03:15 PM	#24 (permalink)
nasaboy007 Senior Member Join Date: Jul 2005 Location: NJ Posts: 1,219	but i dont understand, if the same cleartext input will always have the same hash, there must be SOME function/algorithm that the program is performing in order to get the hash, otherwise it would always be different. therefore, y can't sum1 just figure out this algorithm (example: that md5 uses) and just reverse it? __________________ Hacksar.com - Your source for random computer tips and tricks! MySiteMemberships.com - Keep track of your site registration information! Like my post? Rep is appreciated!

05-24-2006, 03:16 PM	THREAD STARTER #25 (permalink)
PoorDoggie Soon to be RICHdoggie! Join Date: Jan 2005 Location: UK Posts: 2,408	although potentially reversible, I am sure that that kinda encryption would be good enough for my site. I may look at mcrypt though. I thought my script was quite cool - it takes each letter of a string and base64 encodes each of them. It then keeps doing that with the latest encrypted string as many times as the "key" variable dictates. I think it would be very hard to try and decypher without the algorithm. what is a hash exactlly? and repeating my question above, how can it be irreversible? surely if it goes one way, it can come back?

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)