php crypt md5 question

[jamesmorris86]

Hi guys, this may be a really stupid question, but im pretty stupid so please bare with me

im currently using this bit of code to encrypt and decrypt my passwords.

$cleanpw = crypt(md5($pw),md5($user));

i want to crypt my passwords without the $user variable. I tried a few different ways of changing the code with no luck

when i used:

$cleanpw = crypt(md5($pw));

it put an encrypted password into my database but when i tried to log in and decrypt it, it doesnt compare properly and just spits out the wrong password error.

 

[JimAroo]

Sorry, i may have misread your post.

But it makes no sense.

You are defeating the whole point of password hashing, why bother hashing if you want to convert back to plaintext?

it put an encrypted password into my database but when i tried to log in and decrypt it, it doesnt compare properly and just spits out the wrong password error.

You don't "decrypt" them, for example you simply:

$username = $_POST['username'];
$password = $_POST['password'];

$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

$sql = "SELECT * FROM `table` WHERE `username` = '$username' AND `password` = '$password'";

$sql_res = mysql_query($sql) or die("derp");

$count = mysql_num_rows($qry_user_res);

if ($count == 0)
{
     // Invalid Login..
}
else
{
     // Valid Login..
}

But with the way you are doing it, it's as if you are attempting to salt your passwords. I'm going by the hashing of both your user and pw.

If that's the case you store the salt in the database, along with the actual hashed password (password + salt - combined), which is inserted into the database on user registration.

That way you can query the entered username for the salt, and then just append the users entered password and the hash that was retrieved from the database, If hashed passwords match.. success.

Hashing = one way, you aren't supposed to be able to converted back. That's the whole purpose of password hashing.