Asked  7 Months ago    Answers:  5   Viewed   90 times

The mcrypt-extension is deprecated will be removed in PHP 7.2 according to the comment posted here. So I am looking for an alternative way to encrypt passwords.

Right now I am using something like

mcrypt_encrypt(MCRYPT_RIJNDAEL_128, md5($key, true), $string, MCRYPT_MODE_CBC, $iv)

I need your opinion for the best/strongest way to encrypt passwords, the encrypted password should of course supported by PHP 7.xx and should also be decryptable because my customers do want to have an option to 'recover' their passwords without generating a new one.

 Answers

60

It's best practice to hash passwords so they are not decryptable. This makes things slightly more difficult for attackers that may have gained access to your database or files.

If you must encrypt your data and have it decryptable, a guide to secure encryption/decryption is available at https://paragonie.com/white-paper/2015-secure-php-data-encryption. To summarize that link:

  • Use Libsodium - A PHP extension
  • If you can't use Libsodium, use defuse/php-encryption - Straight PHP code
  • If you can't use Libsodium or defuse/php-encryption, use OpenSSL - A lot of servers will already have this installed. If not, it can be compiled with --with-openssl[=DIR]
Tuesday, June 1, 2021
 
Whakkee
answered 7 Months ago
93

You should use openssl_encrypt instead.

Wednesday, March 31, 2021
 
tpow
answered 9 Months ago
20

From their blog :

"we cannot digest the authentication token provided by TokenAuthenticatable, as they are often part of APIs where the token is used many times. Since the usage of the authenticatable token can vary considerably in between applications, each requiring different safety guarantees, we have decided to remove TokenAuthenticatable from Devise, allowing users to pick the best option."

It's now up to the developers to choose the best fit depending on their usage of the authentication token.

Checkout this gist.

Saturday, July 31, 2021
 
Smandoli
answered 5 Months ago
80

Had the same issue - PHP7 missing mcrypt.

This worked for me in Ubuntu Please try below commands.

sudo apt-get update
sudo apt-get install mcrypt php7.0-mcrypt
sudo apt-get upgrade

Then restarts apache

sudo service apache2 restart

Hope this commands helps!

Monday, August 2, 2021
 
mounaim
answered 5 Months ago
92

Note: this answer was written in 2009. Since then, java.time has become the preferred date/time API in Java.


Ideally, use Joda Time instead. It's an infinitely superior API to the built-in one. You'd then want to choose between LocalDateTime and DateTime depending on your exact requirements (it's a complicated area - I'm not going to try to summarise in a sentence or two, but the docs do a good job).

If absolutely necessary, use a java.util.Calendar and convert that to a Date when you need to.

Wednesday, October 6, 2021
 
Assassin
answered 2 Months ago
Only authorized users can answer the question. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :
 
Share