I have recently been making a user admin site with one single login to edit/change aspects of the site. I tried to make a change password page so the user is obviously able to change password if desired, i was messing around with this and have completely messed up my md5 and salt encryption to the point i wasn't able to log in anymore.
In my database in the password row i had the long character hex number displayed (which corresponded to the password i was putting into the site to log in, the md5 function changed this) with this, i deleted the longer password from the database (as it was no longer working) and put back in my actual password... thus i was able to log in again, but have no security on my password... i have no idea how to get the security back?
My encrypt page still stands but is now useless...
<?php
function encrypt($password){
$salt1="egf";
$salt2="7yh";
$password = md5($salt1 . $password . $salt2);
return $password;
}
?>
Please help, any advice would be appreciated! Thank you
Let's look at your code piecewise:
function encrypt($password){ // You're not encrypting here at all!
$salt1="egf"; // Not a salt
$salt2="7yh"; // Not a salt
$password = md5($salt1 . $password . $salt2); // MD5 is insecure
return $password; // Why set to variable then return?
}
It seems like you're failing to understand some fundamental cryptography concepts.
Solution: Use password_hash() and password_verify(). It was designed by experts for this exact use case.
If you're on an older version of PHP than 5.5.0, please upgrade. If that's out of your hands, complain to your hosting provider and then use password_compat.
Don't roll your own password storage scheme.