Why not use AES for password encryption in PHP?

Question

Everywhere I have seen people talking about storing passwords in a database, they have almost always used MD5.

What is wrong with AES, or SHA1?

Answer 1

Because AES encryption is symmetric. Given a password encrypted with AES and the key, you can decrypt the password. This is undesirable, because you almost always want only the owner of the password to know it and don't want to have an easy way to derive the password. The SHA and MD5 algorithms, on the other hand, perform a (mostly) one-way transformation of the password. There is no piece of information (key) that allows you to return the transformed password back to its plaintext form.

Answer 2

The main reason why using symmetric (or asymmetric) encryption is not advisable for protecting passwords is: key management. When using encryption, you must protect the encryption key (or the entropies from which the key is derived). And protecting the key is a very difficult task to solve. Hashing (with SHA, MD5, or any other algorithm) solves the problem of key protection, because you don't need to keep any secret value (other than salt, but salt is significantly less sensitive than encryption key; you can store salt in plain text). So if you only keep passwords for authentication purposes (performed by your app), there is absolutely no reason to use encryption; hashing would do just fine. However, there may be cases when you need to be able to decrypt passwords (e.g. you may need to pass users credentials to third party apps). This is the only case, in which the use of encryption would be justified for password storage.

Answer 3

MD5 (Message-Digest algorithm 5) is a cryptographic hash function, while Advanced Encryption Standard (AES) is a symmetric-key encryption algorithm, so they are used for different purposes. A hash, like MD5 or SHA is used to verify passwords because it's hard to invert, that is, to obtain the password from the hash-string. An AES encryption, on the other hand, is invertible, the original message can be obtained if you know the key. So, if multiple messages are encrypted with the same key, knowing it exposes all of them, whereas if you manage to find a hash's original string(rainbow tables, etc), you've only discovered the plain text for that particular instance, and you'll have to redo the work to find a sollution for another hash-string.

Answer 4

If you store a password encrypted, it can be decrypted. Since many people reuse passwords across many different systems, this is a bad thing. So you use a one-way function, a cryptographic hash function - this way a password can be verified without actually being revealed.

As Greg commented, AES is an encryption/decryption algorithm. MD5 and the SHA family are hash functions, which are the more appropriate ones to use. But steer clear of MD5 nowadays - it's not really seen as secure enough any more. Xiaoyun Wang published an effective collision attack against it in 2005, and its strength is now seen as considerably below its design strength - thus in cryptographic terms it is "broken".

For best results, the standard is to salt and hash a password to store it - google these terms in tandem and you'll find numerous references.

Answer 5

In short: AES is reversable. A hash function is not.

In response to the accepted answer... (sorry, I'm a new user, can't post comments yet...) Salting only prevents Rainbow Table based attacks. It does not protect "weak passwords". To protect the weaker passwords, you will need to use a hash function that has been proven to be slow. A properly configured bcrypt is the easiest way to do this. MD5 and SHA1 are too fast to be secure. (The collisions found with MD5 are unrelated to this problem I'm describing)

All 8-character passwords encrypted with MD5 or SHA1 (even when properly salted) can be cracked by this dude in a single day. Salting does NOT prevent this kind of attack. "Optimizing" the attack to consist of only the ~500k words in the english language... and the 10,000 most common variations of them will crack a huge number of passwords.

BCrypt is stronger against this kind of attack because it (can be configured to be) millions of times slower than MD5. Iteratively using MD5 a million times will theoretically achieve the same thing, but I suggest you stick with well tested libraries instead of rolling your own implementation. BCrypt uses Salting as well of course, and is available in most programming languages. So no reason to NOT use it.

In theory, SCrypt is better, but its too new (and therefore, implementations are probably still a little buggy)

Long story short: SHA512 vs. Blowfish and Bcrypt

Answer 6

The use of AES as a symmetric cipher for passwords would be a volation of CWE-257 and there for a vulnerability. It is possible to use a symmetric cipher as a hash function. Old unix passwords use DES as a hash function and newer unix systems use blowfish as a hash function. But even though its a block cipher, its being used as a one-way function, which is a requirement for any password storage system.

For php you should use sha256.