encryption is this a good way to do it (PHP)

[Jonny]

was looking to to encrytion and thinking of making a new one for my site which uses sha512 and a salt

function TalkPHP_Encrypt($szString){    $szString = str_rot13($szString);    $szString = md5($szString);    $szString = substr($szString, 5, 15);    return $szString;}

Is that a good way to encrypt in passwords as I dont want to be able to decryt it.

 

Guess it is but i heard that better off with somthing like bcriyt

[CharlieH]

Honestly, no, it isn't. However, with PHP 5.5's release, new password_* functions have been introduced. Here is a quick overview. If your server is running an older version, then this library meets the 5.5 spec exactly: https://github.com/ircmaxell/password_compat

[Jonny]

I own a VPS so ill be fine :)

[CharlieH]

I own a VPS so ill be fine :)

In that case, I'd definitely go with the 5.5 functions. They make it a lot easier, and also use secure algorithms.

 

Unless you have a very firm understanding of cryptography, you're always best using an existing method rather than coming up with your own solution.

[Jonny]

i upgraded but my ubuntu 12.04 didn't like it so I'll have to think of another way.

(zpanel does not work to well on 5.5 at the moment :S)

Do you understand it dont get the Cost part and the salt as the salt just goes in the middle lol and from what i learnt about a salt its not ment to be shown in the finnished product :S

var_dump(password_hash("rasmuslerdorf", PASSWORD_BCRYPT, array("cost" => 7, "salt" => "useso2mesillystringfor")));

[CharlieH]

i upgraded but my ubuntu 12.04 didn't like it so I'll have to think of another way. do you know how to install on non 5.5

 

(zpanel does not work to well on 5.5 at the moment :S)

If you let me know exactly what the problem with 5.5 was then I may be able to help you with getting that working properly. Failing that, the compat library that I linked to in my previous post has pretty good documentation, and the installation is explained right here. Personally I haven't used that library, but it seems fairly straightforward, so I could probably give you a hand if you get stuck on it.

[Jonny]

I edit my post aboth :S

 

the info on it is a bit crap but im sure we can work it out :)

 

Using it in my CMS as Sha512 is not good enough :S as it will sort my company's details etc dont want people

[CharlieH]

I edit my post aboth :S

 

the info on it is a bit crap but im sure we can work it out :)

 

Using it in my CMS as Sha512 is not good enough :S as it will sort my company's details etc dont want people

Ah, my apologies, I replied before seeing the edit. Storing the salt along with the hash isn't a problem since you would need it to be able to reproduce the hash regardless of implementation. The cost is an option to basically change the effort needed to hash the string. However, the library (and the 5.5 spec) provide reasonable defaults for this, meaning that all you need to do to hash a password is something like:

$hash = password_hash($password, PASSWORD_BCRYPT);

 

Then to check the password, use the password_verify() function, as shown under the 'verifying passwords' section on the gist I linked to a few posts ago.

[Jonny]

topic carryed on Via Email