HASH! HASH! HASH! HASH! HASH! HASH! HASH! HASH! HASH! HASH! HASH! HASH! HASH! HASH! HASH! HASH! HASH! HASH
You never want to encrypt passwords. The problem with encryption is that it’s a two (or more) way street, in other words, you can both encrypt a password AND decrypt it. Even the best encryption algorithms are feasibly subject to brute forcing.
Hashing on the other hand is a one way street. Once a password is hashed, it can never be recovered.
Think of the password as a piece of paper, encryption as a paper shredder and paper as my hungry stomach. If you pass the paper through the shredder, you can piece it back together through trial and error - or if you left clues on the paper (an encryption key) and someone knew the clues it would be even easier.
Hashing on the other hand is like feeding me a piece of paper. I’ll gobble it up, it’ll go through my empty stomach, get churned up, broken down by my nasty stomach acids, and pooped out. It can never be recovered, ever. However, if I ate another piece of paper in the same exact way under exactly the same circumstances my poop will come out looking exactly the same. This is how hashing works.
However, if even one molecule was off or if in my furious consumption a drop of salty sweat fell on the paper the poop would come out completely different. Hashing works in this way too. Hashing makes use of something called SALT, which is a random string of characters that get sent into the algorithm with the password, to make it even more random.
The problem with Hashes is that they are fixed length. And although the length can be of any size, the length is still fixed. This means that a table of all possible outcomes could be created for any given algorithm and a hashed password could be compared with this table. Even a SALT of one character will render a rainbow table (as they are called) completely useless.
PHP has a function called md5, and it’s really easy…you just do $hashed_password = md5($password . “R4nd0m cH4raC1er2”); and BAM! you have an impossibly irreversible password. You might be wondering…well how does a user log in!?
You store the hashed password in your now secure database. When a user logs in, you hash their password in the same way as above and compare it with the hashed password in the database. If they match then you can let them log in!
For more information, see this awesome post: http://stackoverflow.com/questions/4948322/fundamental-difference-between-hashing-and-encryption-algorithms
HASH! HASH! HASH! HASH! HASH! HASH! HASH! HASH! HASH! HASH! HASH! HASH! HASH! HASH! HASH! HASH! HASH! HASH