> This is not what I need. > I'm not building a userbase to authenticate with. > > I'm holding a database of users and passwords that I need to keep. > There is no authentication done against these user/password pairs. > > I don't want to keep the passwords in free text since if someone > breaks in, > he can steel many users and passwords. > > What I want to do, is encrypt each password with another password. > and be able to decrypt the string with the same pass that was used > to encrypt to show the original plain text pass two who ever needs > to see it.
The problem here is that to be able to decrypt a password you will have to store the key somewhere. This key will then be vulnerable if someone breaks into your machine. In other words, the crack becomes a bit more difficult but will have the same catastrophic affects. What you should do is encrypt the password in the database using a one way function, such as crypt(), http://www.php.net/manual/en/function.crypt.php. When the user enters their password, encrypt that and then compare the encrypted passwords. The only problem with this is that there is no easy way to recover the password if the customer loses it. In this scenario, you will have to have an alternative way to reset the customers password. Regards Dave -- Chief Technical Consultant Auxinet Payment Services http://www.auxinet.com Phone: +44 870 72 74 76 2 Sales Office: +44 870 72 74 76 3 Fax: +44 870 72 74 78 2 +44 870 72 74 78 3 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
