The following php function allows you to securely encrypt passwordsthus preventing them from being read or decrypted by reading them from the database or from the application itself.
I recommend that you embed this function in a php utility class to reuse it in your projects. In my case I usually store this type of utilities according to their use. For example, because this function is for site security, you would enclose it in a SecurityHelpers or similar class.
/** función para encriptar mediante el uso de una clave secreta $key
* @param String $input: cadena de texto con la contraseña a cifrar
* @param String $key: cadena de texto con la clave secreta para cifrar las contraseñas
* @return $encrypted: cadena de texto con la contraseña cifrada.
*/
static function encrypt($input, $key = 'secreta'){
$iv = mcrypt_create_iv(
mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC),
MCRYPT_DEV_URANDOM
);
$encrypted = base64_encode(
$iv .
mcrypt_encrypt(
MCRYPT_RIJNDAEL_128,
hash('sha256', $key, true),
$input,
MCRYPT_MODE_CBC,
$iv
)
);
return $encrypted;
}
In this PHP function basically 3 PHP functions are used for encryption:
- mcrypt_create_iv function
- php base64_encode function to easily store the password in the database.
- php function to encrypt mcrypt_encrypt.
Content
- How to use the function to encrypt passwords
- php function to decrypt generated passwords
- Video on Password Hash PHP 7
How to use the function to encrypt passwords
It is important that you keep in mind that you should keep this code as well saved as possible since if it is accessed, the passwords could be deciphered relatively easily.
For greater security I recommend:
- Enter a secret key for each site password, the key must be recoverable by you. In other words, you could use the first 4 digits of a user’s DNI as a secret key, so that even if you had access to the function that encrypts, you would have to find a way to obtain the key.
- If you follow step 1, remember that if you lose the secret key, you will not be able to decipher the password again, so a new one will have to be generated. Be especially careful if the data you use to compose the password is susceptible to changes (for example, the User’s Name and Surname).
- make sure the key $input have a minimum of characters, since encrypting the password does not make it impossible to guess it by brute force attacks.
php function to decrypt generated passwords
Now that you have the code to encrypt the passwords, I am attaching the inverse function that, with the secret key that was used to encrypt the password, allows you to restore the encrypted key to its original content.
static function decrypt($input, $key = 'secreta{uniqid()}'){
$data = base64_decode($input);
$iv = substr($data, 0, mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC));
$decrypted = rtrim(
mcrypt_decrypt(
MCRYPT_RIJNDAEL_128,
hash('sha256', $key, true),
substr($data, mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC)),
MCRYPT_MODE_CBC,
$iv
),
"\0"
);
return $decrypted;
}
Video on Password Hash PHP 7
To finish with the tutorial I leave you an explanatory video, simple and very complete at a theoretical level.
The video covers the different ways available to encrypt passwords in PHP and which ones are most suitable today. Also, it makes it clear what to use in PHP 7.