sarciszewski

If it helps to shed some light on the different terms and concepts involved in cryptography, we did publish a blog post explaining this in detail.

https://paragonie.com/blog/2015/08/you-wouldnt-base64-a-password-cryptography-decoded

Lol, i use Crypt() on my websites? However i use that one amongst with SHA1, MD5 and 4-5 different custom-made salt functions that will randomly throw the letters and numbers and signs around to make sure they are very well shaken and ready to be used as an password. Also known to be "Encrypted" .... still working on it tho, but working at the moment perfectly fine

Using cypt() is at best suboptimal. You're better off using password_hash() and password_verify().

"However i use that one amongst with SHA1, MD5 and 4-5 different custom-made salt functions that will randomly throw the letters and numbers and signs around to make sure they are very well shaken and ready to be used as an password"

Have you never heard the words "don't roll your own crypto" before? This is a bad idea!

Fair enough, so either they will or they won't at this point I suppose. You're post is very educational, so hopefully at least some of the forum members here will be able to make use of it.

I'm not sure that's much comfort. Most people link to the w3schools website and not the forum, so I'd wager (heuristically) that more people read the misinformative PHP documentation than the forums where people point out inaccuracies that Refsnes Data ignores.

To be fair, your post is 4 days old and in the PHP forum.

 

I think the point Ingolme was trying to make is that for those posts made in the Suggestions forum (which is specially for making suggestions for the W3Schools.com site) the site maintainers tend to implement them, albeit while not actually making a post or comment to that affect.

I've also emailed them and used the form at the bottom of the page. There's no way they haven't been informed by now.

First, you need to call session_start() before any HTML tags (or even whitespace) is printed out.

<!DOCTYPE html><?php    session_start();

...needs to look like...

<?php    session_start();// ... other code here ...?><!DOCTYPE html>

Very important: You're storing your password in plaintext. Don't do that. See password_hash() and password_verify().

I see that you're using mysqli_real_escape_string(). This is a mistake. The proper way to prevent SQL injection is to use prepared statements, not to escape input.

Reference: https://secure.php.net/manual/en/mysqli.prepare.php

I notice them updating their website frequently, so while they're not very communicative they do seem to listen to suggestions.

Interesting. On one hand, you say they seem to listen to suggestions.

But on balance, they generally ignore the community and so far have not addressed the inaccuracies I brought to their attention.

At this point I'm not sure if I would be wasting my time trying to improve their documentation.

This is true. Encryption implies decryption, if you can't decrypt then it's not encryption.If they do, they don't post or anything. Kaijim has an account here though, I suppose you could send him a private message. For what it's worth, I was once contacted by the team lead for IE about changing some information prior to the release of a new version of IE (so that the information on the site would be accurate at the time of launch), and I sent private messages, emails, and even found the people on Facebook and sent messages through that. I didn't get a response, but hopefully they got the site updated. The people who run the site aren't very active with the community here.

This is disheartening. I wonder if the folks at w3fools would enjoy this infromation more (assuming they haven't already listed it as a grievance)?

At the very least, they'd probably act on it if I informed them of it.

I'm not part of the W3Schools staff, I just manage the forums, I have no responsibility or control over the website.

Understood. I've reported an error on the page and referenced this topic. I originally did not see this link (thank you for informing me about it), I will be sure to make use of it.

Do any of the W3Schools staff frequent the forums? Would posting here be a good way to engage both the community as well as the administration, or is there a better strategy I should pursue?

Maybe these aren't easy questions to answer, but any insight you have to offer as a moderator would be invaluable for plotting the course ahead.

You're right, I don't think anybody would refer to the algorithms used by crypt() as encryption algorithms. I'm quite sure nobody is using crypt() for encryption either, because if they did they'd find out pretty fast that they are not able to retrieve the information they just "encrypted".

 

I see you edited your post, at first I was quite confused as to why you signed up to the W3Schools forum just to tell the world that PHP's crypt() function is not for encryption, you would have access to a lot more people by writing a note on the PHP manual's crypt() page

 

On the W3Schools website, you can scroll to the bottom of the page and click on the "REPORT ERROR" link if you think the content of the page is incorrect.

My edit pertained to the origins of crypt(3), my computer history isn't great

From the PHP manual page:

crypt() will return a hashed string using the standard Unix DES-based algorithm or alternative algorithms that may be available on the system.

Their terminology is correct, actually. It's just w3schools that muddies the water between new developers and understanding this particular nuance of cryptography. Don't feel bad, though, I just spent the past few months cleaning up a lot of the PHP questions and answers on Stack Overflow.

My employer offers B2B technology consulting, but we also care very much about moving the needle towards other developers being secure by default, both in terms of their tools and frameworks but also in terms of the habits they adopt. Even if teaching other developers to write better and more secure code doesn't have a positive ROI for us.

A lot of programmers seem to learn from w3schools when they're first starting out. That's why I'm even bringing this up at all rather than letting sleeping dogs lie.

I hope these corrections are not taken as a sign of disrespect; few people have the knowledge or years of experience to understand the nuance of cryptology and, while I don't hold not understanding these details against anyone, I'm trying to make better knowledge more common.

Nope. It's a one-way cryptography function, not a one-way encryption function.

Encryption is the art of rendering a message unreadable to everyone who does not possess a secret key. Encryption is, by definition, reversible. Hashing is, by definition, one-way.

Cryptography doesn't imply encryption, it can mean any of the following:

• Encryption
  • Block Ciphers
  • Stream Ciphers
  • Elementary ciphers (substitution, transposition, etc.)

  [*]Authentication

  • Hash functions, HMAC, etc.
  • Password hashing functions
  • CMAC, Poly1305, GCM, etc.

  [*]Key Exchange

  • Diffie Hellman, Elliptic Curve Diffie Hellman

  [*]Digital Signatures

  • RSA, DSA, ECDSA, EdDSA

  [*]Public Key Infrastructure[*]Cryptographic Side Channels

  • Padding oracle attacks (RSA-PKCS1, etc.)
  • String comparison timing attacks
  • Cache-timing attacks
  • Fault-based side-channels

...and so much more.

There isn't a reputable cryptography engineer alive who would say that EdDSA is an encryption algorithm with a straight face. It's just as incorrect to say that a hash function is a form of encryption too.

I've been fighting an uphill battle with new developers who don't understand the difference between hashing and encryption, and I believe correcting this w3schools article will help dramatically.

http://www.w3schools.com/php/func_string_crypt.asp

If we want this article to be accurate, every instance where this article refers to crypt() as an encryption feature needs to be rewritten to say "password hashing" (or simply hashing).

Despite its name, crypt() is ported from AT&T Unix v6's crypt(3) function, which was meant for one-way password hashing. See: https://www.freebsd.org/cgi/man.cgi?query=crypt%283%29