The mcrypt-extension is deprecated will be removed in PHP 7.2 according to the comment posted here. So I am looking for an alternative way to encrypt passwords.
Right now I am using something like
mcrypt_encrypt(MCRYPT_RIJNDAEL_128, md5($key, true), $string, MCRYPT_MODE_CBC, $iv)
I need your opinion for the best/strongest way to encrypt passwords, the encrypted password should of course supported by PHP 7.xx and should also be decryptable because my customers do want to have an option to ‘recover’ their passwords without generating a new one.
Advertisement
Answer
It’s best practice to hash passwords so they are not decryptable. This makes things slightly more difficult for attackers that may have gained access to your database or files.
If you must encrypt your data and have it decryptable, a guide to secure encryption/decryption is available at https://paragonie.com/white-paper/2015-secure-php-data-encryption. To summarize that link:
- Use Libsodium – A PHP extension
- If you can’t use Libsodium, use defuse/php-encryption – Straight PHP code
- If you can’t use Libsodium or defuse/php-encryption, use OpenSSL – A lot of servers will already have this installed. If not, it can be compiled with –with-openssl[=DIR]