Reversable Encryption OR Storing Passwords online

[PoorDoggie]

I need to store people's passwords online in a mysql database. The point is that they need to be able to be "got back".

ie: user x logs in and then it gets another of his passwords that he gave us, from a mysql database.

obviouslly to bring up the the second password it means that I can't store it in md5 format because that is irreversible (i think).

Is there any way of making those passwords secure with the option of getting them back?

Thanks
Tom

 

[abdulmueid]

From what i've read, mcrypt and base64 use a fixed algorithm for encrypting data so they know that by reversing that algo, it is decrypted.

Now a hash like MD5 generates a random algorithm at the time of encryption, encrypts the string and now the algorithm doesn't exist anymore.. therefore irreversible. Correct me if I am wrong.. someone.

 

[PoorDoggie]

wow, that is absolutely ingenious! I would never have thought of that.

Theoretically, that algorithm is reversible if found out though right?

I am thinking if there is anyway of doing something like that, but then with a reversible function. Maybe storing an encryption key in the string or something? I suppose it will still be reversible, but then again the more ambiguous, the more secure right?

 

[abdulmueid]

A hash is definately more secure than anything else... but I would still prefer to have my own algorithm.

And yes, the more ambiguous, the more secure..

 

[nasaboy007]

Now a hash like MD5 generates a random algorithm at the time of encryption, encrypts the string and now the algorithm doesn't exist anymore.. therefore irreversible. Correct me if I am wrong.. someone.

how could that be? if it made a new algorithm each time, it would not get the same result from the same input text each time.

I am thinking if there is anyway of doing something like that, but then with a reversible function. Maybe storing an encryption key in the string or something? I suppose it will still be reversible, but then again the more ambiguous, the more secure right?

as for that, how about u just pick like the 2nd letter (or better yet, make it like the second to last letter so that it changes depending on the length of the actual password) and convert that into binary. then once thats binary i guess u cud convert that back into its numerical value rather than text and use that as ur key value. of course, this number will most likely be INSANELY GINORMOUSLY LARGE for the purpose of base64 multiple times. so i suggest then taking that base 10 (decimal) value and subjecting it to various mathematical functions that will bring it down to a smaller value if it is over a certain value. of course, if the number comes down to something less than 10 (or w/e) it sumwhat defeats the purpose of doing all this since u wanted to generate a key that would be hard to brute force...

well if there was a better way to encode (much much faster) than base64, that method above (minus the whole make the humongous number smaller thing) would probably be the best bet.


as for decrypting it... ehhhhhhhhh


damn it i did all that work and realized that it would be impossible (or next to impossible) to decode that sort of encryption without the original password...

well unless sum1 can think of one, cuz my brain is fried X_X


but hey thats a good idea :P

 

[PoorDoggie]

lol - I think I will just take a key and do hurrendous mathematical stuff to it, and then base64 it a few times depending on the size of the resulting number! lol - a long string is a little bit OTT maybe.

 

[Shorty]

I was thinking yesterday, that if you did a few random string manipulation things and character replacements before you md5() the string, it would be a million times more secure...because, when the hacker brute forces the hash, instead of getting the password he'll get the manipulated version, and they'd still have to know what replaces what before they get the original...

And now that I think about that...imagine having a set of string replacements, then md5()'ing it, THEN manipulating the hash AGAIN and then md5()'ing it again...

 

[PoorDoggie]

kinda like my base64 method, but with md5? Thats a good idea, just to make it that little bit more secure. What I have done in the past is taken the first 16 letters of an md5 string and put them at the end. This way the string is different, but it also means more php code, and less efficient code.

 

[nasaboy007]

but i thot the whole point of this was to make it decryptable... whats the point of using md5 if u cant decrypt that?

 

[Tree]

Just so you know, md5 is way more efficient than base64. Multiple instances anyways. On my server it seems to be different.

http://www.ncisolutions.com/misc/base64_md5.php

Try it out on your own server:

<?php 
function dbConnect(){
	mysql_connect("localhost","*************","******")
		or die("Couldn't connect to the database because ".mysql_error());
	mysql_select_db("*************")
		or die("Couldn't select database because ".mysql_error());
}

function randomChar($length)
{
$password = "";
$possible = "0123456789abcdefghijklmnopqrstuvwxyz";
$i = 0;
while ($i < $length) {
$char = substr($possible, mt_rand(0, strlen($possible)-1), 1);
if (!strstr($password, $char)) {
$password .= $char;
$i++;
}

}
return $password;
}
$string = randomChar(rand(7,rand(8,rand(9,rand(rand(15,21),rand(22,37))))));
for ($i=0;$i<50;$i++){
$timeparts = explode(' ',microtime());
$thetime = $timeparts[1].substr($timeparts[0],1);

$md5_string = md5($string);

$timeparts = explode(' ',microtime());
$starttime = $timeparts[1].substr($timeparts[0],1);
$timeparts = explode(' ',microtime());
$endtime = $timeparts[1].substr($timeparts[0],1);
$difference[$i] = bcsub($endtime,$starttime,6);
}
$md5_endtime = (array_sum($difference))/50;

for ($i=0;$i<50;$i++){
$timeparts = explode(' ',microtime());
$thetime = $timeparts[1].substr($timeparts[0],1);

$base64_string = base64_encode($string);

$timeparts = explode(' ',microtime());
$starttime = $timeparts[1].substr($timeparts[0],1);
$timeparts = explode(' ',microtime());
$endtime = $timeparts[1].substr($timeparts[0],1);
$difference[$i] = bcsub($endtime,$starttime,6);
}
$base64_endtime = (array_sum($difference))/50;

echo "<b>Original String:</b>".$string."<br><br>";
echo "<b>Final md5 Time:</b> ";
echo number_format($md5_endtime, 70, '.', '');
echo "<br>";
echo "Final md5 String: ";
echo $md5_string;
echo "<br><br><b>Final base64 Time:</b> ";
echo number_format($base64_endtime, 70, '.', '');
echo "<br>";
echo "Final base64 String: ";
echo $base64_string;
echo "<br><br><b>Fastest:</b> ";
dbConnect();
if ($md5_endtime < $base64_endtime) 
{
	echo "MD5 <br><b>By</b> ".number_format($base64_endtime-$md5_endtime, 70, '.', '')." <b>seconds</b>.";
	$query = mysql_query("SELECT * FROM `base64_md5`");
	$row = mysql_fetch_array($query);
	$newval = $row['md5']+1;
	mysql_query("UPDATE `base64_md5` SET `md5` = '$newval' WHERE `id` =0 LIMIT 1 ;");
}
if ($md5_endtime > $base64_endtime) 
{
	echo "Base64 <br><b>By</b> ".number_format($md5_endtime-$base64_endtime, 70, '.', '')." <b>seconds</b>.";
	$query = mysql_query("SELECT * FROM `base64_md5`");
	$row = mysql_fetch_array($query);
	$newval = $row['base64']+1;
	mysql_query("UPDATE `base64_md5` SET `base64` = '$newval' WHERE `id` =0 LIMIT 1 ;");
}
echo "<center><b><br><br>Total Wins</b><hr></center><br><br>";
$query = mysql_query("SELECT * FROM `base64_md5`");
$row = mysql_fetch_array($query);
echo "<b>MD5:</b> ".$row['md5']."<br>";
echo "<b>Base64:</b> ".$row['base64'];
echo "<br><br><b>Last Calculation:</b> ".$row['date'];
mysql_query("UPDATE `base64_md5` SET `date` = '".date("Y-m-d h:i:s")."' WHERE `id` =0 LIMIT 1 ;"); 
mysql_close();

Someone else from NamePros originally gave me this script. I can't remember who it was, sorry. I did make some modifications though.

Thanks to t.m. for the random characters function.

*Added database functionality to track wins/losses

 

[PoorDoggie]

nope... base64 is more efficient, it has won way more times...

Just so you know, md5 is way more efficient than base64

nasaboy: I wan't using md5 as an encryption option, but merely explaining methods of storage I have used in the past.

Tom

 

[Tree]

Multiple instances of md5, I believe, is faster than multiple instances of base64. But it may be server-specific. I don't know. That's why I want people to try the code themselves.