0

Situation:

I need to create QR-Codes, that contains login, password and 2 other informations A and B.

These QR-Codes are non public checkcards used for online authentification.

My Boss dont want to leave the password. show the qr codes and you are logged in

Problem:

I dont want easy to copy and semi easy to read qr codes to contain a plain text like www.example.com/login/?name=abc&password=def&A=ghi&B=jkl

I would much more prefer a solution www.example.com/login2/?var=dsldpjfeepfjwefpejwfp

Question:

Is there a good way to compress different variables into one unreadable variable and then at serverside to decompress it? I tried some encryption, but they will produce binarydata that is not url friendly (and its really LONG in most cases).

Hint:

I dont need complete encryption and safety. I just dont want to show plain passwords. I am Using PHP and cannot install new php modules, but scripts are ok.

Improve this question

2 Answers 2

Reset to default
1

You could use md5(), and on logging in check if:

m5d($password . $salt) == $_GET['password'];
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

No, im am suggesting sending an MD5-hashed over GET. Obviously having any login-information stored in an QR-code have its security-issues, but it looks like Umingo is aware of that.
Thanks, but i need to restore the values on the serverside and sending the md5 would exploit my $salt since if hashes are public transported you could reconstruct the salt that was used.
Then you have two options (that I can think of): A) Encryption, gives indeed a long string, use php.net/base64_encode to convert binary data or; B) If you need short urls: store a key with associated data in a database and use that key in your URL, as every URL-shortener (like tinyurl.com) does
'would exploit my $salt' : if you use a per-user pepper besides your salt (as is always a good idea) you won't have this problem
0

If you don't want to encrypt it, you have two choices.

Base64 - will create something like dXNlcm5hbWV8cGFzc3dvcmR8dmFsdWV8c29tZXRoaW5n

UUencode - will create something like A=7-E<FYA;65\<&%S<W=O<F1\=F%L=65\<V]M971H:6YG

Both a trivially easy to reconstruct for the end user if she is determined.

If you want to make something like Base64 slightly more challenging to "decrypt" you could either run a basic substitution cipher on it first (a=b, b=c, etc) or apply a known shuffle to the string (swap character 1 with 2, swap 3 with 5, etc).

It's not perfect, but it will provide a small measure of defence against anyone who wants to reverse engineer what's in the code.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.