I would like to encrypt the passwords on my site using a 2-way encryption within PHP. I have come across the mcrypt library, but it seems so cumbersome. Anyone know of any other methods that are easier, but yet secure? I do have access to the Zend Framework, so a solution using it would do as well.

I actually need the 2-way encryption because my client wants to go into the db and change the password or retrieve it.


Why does the client want to retrieve the password? This is usually a bad idea. Give the admin facilities to reset the password, and the user the ability to change the password if they know the original.

Written by Roger Lipscombe

Accepted Answer

You should store passwords hashed (and properly salted).

There is no excuse in the world that is good enough to break this rule.

Currently, using crypt, with CRYPT_BLOWFISH is the best practice.
CRYPT_BLOWFISH in PHP is an implementation of the Bcrypt hash. Bcrypt is based on the Blowfish block cipher.

  • If your client tries to login, you hash the entered password and compare it to the hash stored in the DB. if they match, access is granted.

  • If your client wants to change the password, they will need to do it trough some little script, that properly hashes the new password and stores it into the DB.

  • If your client wants to recover a password, a new random password should be generated and send to your client. The hash of the new password is stored in the DB

  • If your clients want to look up the current password, they are out of luck. And that is exactly the point of hashing password: the system does not know the password, so it can never be 'looked up'/stolen.

Jeff blogged about it: You're Probably Storing Passwords Incorrectly

If you want to use a standard library, you could take a look at: Portable PHP password hashing framework and make sure you use the CRYPT_BLOWFISH algorithm.

(Generally speaking, messing around with the records in your database directly is asking for trouble.
Many people -including very experienced DB administrators- have found that out the hard way.)

Written by Jacco
This page was build to provide you fast access to the question and the direct accepted answer.
The content is written by members of the stackoverflow.com community.
It is licensed under cc-wiki