Best way to use PHP to encrypt and decrypt passwords? [duplicate]

by

You should not encrypt passwords, instead you should hash them using an algorithm like bcrypt. This answer explains how to properly implement password hashing in PHP. Still, here is how you would encrypt/decrypt:

$key = 'password to (en/de)crypt';
$string = ' string to be encrypted '; // note the spaces

To Encrypt:

$iv = mcrypt_create_iv(
    mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC),
    MCRYPT_DEV_URANDOM
);

$encrypted = base64_encode(
    $iv .
    mcrypt_encrypt(
        MCRYPT_RIJNDAEL_128,
        hash('sha256', $key, true),
        $string,
        MCRYPT_MODE_CBC,
        $iv
    )
);

To Decrypt:

$data = base64_decode($encrypted);
$iv = substr($data, 0, mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC));

$decrypted = rtrim(
    mcrypt_decrypt(
        MCRYPT_RIJNDAEL_128,
        hash('sha256', $key, true),
        substr($data, mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC)),
        MCRYPT_MODE_CBC,
        $iv
    ),
    "\0"
);

Warning: The above example encrypts information, but it does not authenticate the ciphertext to prevent tampering. You should not rely on unauthenticated encryption for security, especially since the code as provided is vulnerable to padding oracle attacks.

See also:

Also, don’t just use a “password” for an encryption key. Encryption keys are random strings.

Demo at 3v4l.org:

echo 'Encrypted:' . "\n";
var_dump($encrypted); // "m1DSXVlAKJnLm7k3WrVd51omGL/05JJrPluBonO9W+9ohkNuw8rWdJW6NeLNc688="

echo "\n";

echo 'Decrypted:' . "\n";
var_dump($decrypted); // " string to be encrypted "

More Related Contents:

  1. mcrypt is deprecated, what is the alternative?
  2. How to add/remove PKCS7 padding from an AES encrypted string?
  3. Upgrading my encryption library from Mcrypt to OpenSSL
  4. MCrypt rijndael-128 to OpenSSL aes-128-ecb conversion
  5. Decrypting strings in Python that were encrypted with MCRYPT_RIJNDAEL_256 in PHP
  6. Mcrypt js encryption value is different than that produced by PHP mcrypt / Mcrypt JS decrypt doesn’t work for UTF-8 chars
  7. How do you Encrypt and Decrypt a PHP String?
  8. How to encrypt/decrypt data in php?
  9. Two-way encryption: I need to store passwords that can be retrieved
  10. Preparing for removal of Mcrypt in PHP 7.2
  11. PHP AES encrypt / decrypt
  12. Best solution to protect PHP code without encryption
  13. Encrypting / Decrypting file with Mcrypt
  14. Replace Mcrypt with OpenSSL
  15. Encryption in JavaScript and decryption with PHP
  16. Is it possible to hide/encode/encrypt php source code and let others have the system?
  17. mcrypt_encrypt to openssl_encrypt, and OPENSSL_ZERO_PADDING problems
  18. PHP7.1 mcrypt alternative
  19. Cross platform (php to C# .NET) encryption/decryption with Rijndael
  20. How can I decrypt a password hash in PHP?
  21. Issue in installing php7.2-mcrypt
  22. How to do AES256 decryption in PHP?
  23. Rijndael 256 Encrypt/decrypt between c# and php?
  24. Is it secure to store a password in a session? [duplicate]
  25. Switching between HTTP and HTTPS pages with secure session-cookie
  26. Use openssl_encrypt to replace Mcrypt for 3DES-ECB encryption
  27. How can I install mcrypt under PHP7? Laravel needs it
  28. Installing mcrypt extension for PHP on OSX Mountain Lion
  29. AESCrypt decryption between iOS and PHP
  30. What encryption algorithm is best for encrypting cookies?

Leave a Comment