-1

I ran into a client that is running on PHP 5.6, and it looks like it was made back, right when encryption was starting to be a thing but supported decryption for passwords. Now, they do NOT need decrypting the password, it just has a script that decrypts the hashes in the DB using mcrypt_get_iv to verify it is correct.

They are using something similar to

mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $encryptkey, $password, MCRYPT_MODE_ECB, $iv);

to encrypt their passwords.

Any ideas how I could keep the encryption but verify passwords without decrypting? They have thousands of users over 20 years. The only option I could think of was to make a new pw_hash field and use their current decryptor and run through a new system and remove this old stuff.

I was able to upgrade their PHP to 7.1. but after that mcrypt is removed.

EDIT

I feel like I asked what I wanted, but will try to clarify. I want to use something other than mcrypt due to it being deprecated, but not lose thousands of users passwords. Currently they are stored and verified using a decrypt and encrypt function that is reliant on mcrypt/mcrypt_get_iv.

Once I upgrade to > 7.1 their login and registration process will break.

Improve this question
3
  • As mcrypt is solely the bridge to an external library, why not use another one, like phpseclib? packagist.org/packages/phpseclib/mcrypt_compat should provide a proper polyfill Commented Feb 24 at 10:16
  • 2
    What is actually the question: Are you looking for a migration strategy from encrypted passwords to hashed ones or do you want to keep the encryption (maybe because of the old data) and are looking for an alternative to the deprecated mcrypt? Commented Feb 24 at 11:34
  • "I want to use something other than mcrypt due to it being deprecated, but not lose thousands of users passwords" - why not use phpseclib that helps to use the old passwords, and rehash them on the next login? Commented Mar 4 at 10:31

1 Answer 1

Reset to default
3

Any ideas how I could keep the encryption but verify passwords without decrypting

As far as I understand your situation, this statement contradicts itself. But since the encryption key seems to be static, I would just rehash all passwords:

  • Add a new column password_argon (or think of a better name)
  • Implement a feature that any time a password is added/changed, a password_hash($password) is also persisted along the encrypted password
  • Run a batch script for each record that lacks the password_argon field to store password_hash(mcrypt_decrypt($encryptedPassword))
  • Once all fields have been populated, switch to verifying passwords using password_verify($input, $passwordArgon)
  • Drop the encrypted passwords. You’ll have no way of accessing raw passwords any more

In case I misunderstood and the key is not static, but is derrived from the password itself, you can do a similar rehash process when the user signs in, i.e. when your app handles the raw password in memory anyway. This will improve the situation for active users, but after a period of time you can make the decision to cut off the inactive ones by dropping the encrypted password field. They will have the option to reset their password using a forgot password flow.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

This is a valiant effort to answer an unclear question, but we prefer instead to have the asker first clarify their question. The good news is that 3 people have already found this answer helpful.
While I understand the frustration of regulars caused by poorly-worded questions and not well-expressed problems, I see no harm in trying to help despite that
I appreciate this response. I wasn't trying to be contradictive. I don't need to decrypt the password, currently that is what the function does, to verify it is valid. For both register and login and change password, they use mcrypt. Your solution is similar to what I figured would need to happen. Thank you very much.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.