Featured:
Allergies
Tech Know
Grilling Guide
eHow Now Blog

How to Create Secret Keys in PHP

How to Create Secret Keys in PHP thumbnail
Hackers sometimes use databases to figure out passwords.

The MD5 Message-Digest Algorithm is a one-way encryption algorithm often used for creating secret keys, which are called MD5 hashes. Since the encryption is one way, two different text strings can produce the same MD5 hash, which means you can't decrypt it. There are an infinite number of ways to produce the same hash. However, hackers have ways of discovering the strings used to create hashes, so it pays to create them with care. PHP: Hypertext Preprocessor is a programming language that supports MD5 and other encryption algorithms as well.

Instructions

    • 1

      Create a salt string, which is an unguessable string used for encryption. The salt string will be used for creating hashes as well as determining their validity. One way to create a good salt string is by scrambling a bunch of random characters with PHP's md5 function. The output of the function is a 32-digit hexadecimal number, giving you more than 3.40 x 10^38 possible combinations. For example, include something like the following in your PHP code:

      $salt = md5("4hJUd5sPP97hT");

    • 2

      Combine the text with the salt string with the concatenation operator, which is actually a period, and encrypt it with the md5 function. For example, if you are encrypting passwords, type:

      $password = "Us54EEh5R";

      $encrypted = md5($password.$salt);

      "Rainbow tables" are databases used for cracking MD5 hashes, the largest of which have between 10 and 20 billion entries. Even if a database had 100 billion distinct MD5 hashes, that's less than one in 10^27 of the possible combinations. If a drop of water is about 1/10 cm^3, it would take about 1.4 x 10^25 drops to fill the Earth's oceans. Therefore, rainbow tables amount to less than a drop in all the Earth's oceans. If your salt string is good, there is almost no chance the encrypted hash is in a database. Even if one of the databases had the same hash, the string used to create it would be different from the one in the database, because they can't waste valuable database space on the endless combinations of MD5-salted passwords. Those databases are going after much simpler targets.

    • 3

      Verify hashes as needed by creating the hash as you did before and comparing it with the original. In the case of passwords, store the encrypted passwords in a database. When someone tries to use a password, encrypt the password entered with the salt, and compare it with the copy in the database. In this way, even the database administrator doesn't know any of the passwords. For example, type:

      $encrypted_entry = md5($entry.$salt);

      if ($encrypted_entry == $encrypted) $valid = TRUE;

      else $valid = FALSE;

Tips & Warnings

  • Avoid allowing users access to the hashes. A hacker could create a password, and with access to the resulting hash, he could try to figure out what the salt was. If you created the salt with MD5 encryption of a word from the dictionary, it wouldn't take long to figure it out.

Suggest item

Related Searches:

References

  • Photo Credit Creatas/Creatas/Getty Images

Comments

Related Ads

thumbnail
Featured