There's a ton of bad programming and security advice on the Internet. Some of the advice is bad because the author is misinformed, some because it emphasizes precision over clarity and most people wind up lost in the jargon. If you feel that cryptography is a weird, complicated, and slightly intimidating subject for which your feelings might be best described as lukewarm (on a good day), we hope that by the time you finish reading this page, you will have a clear understanding of the terms and concepts people use when this topic comes up. > Warning: The example snippets on this page are for illustrative purposes. Don't use them in your projects. If you want a real-world example to reference, check out [the snippets in our Chief Development Officer's StackOverflow answer](https://stackoverflow.com/a/30189841/2224584) instead. # Basic Cryptography Concepts for Developers Let's start with a basic question: **What exactly is a cryptographic feature?** In the simplest terms we can muster: `Cryptographic features use math to secure an application`. Digging a little deeper: there are a plethora of cryptography algorithms and they can generally be grouped together based on two criteria: 1. How much information must be supplied by the developer? 2. What is the intended goal? * Confidentiality? * Integrity? * Authenticity? * Non-repudiation? Deniability? (These two are opposites.)
* Keyless Cryptography (0 keys) * [Hash Functions](#hash-functions) * [Secret-Key Cryptography](#secret-key) (1 key) * [Secret-Key Message Authentication](#mac) * [Secret-Key Encryption](#secret-key-encryption) * [Authenticated Secret-Key Encryption](#authenticated-encryption) * Public-Key Cryptography (2 keys) * [Shared Secret Key Agreement](#diffie-hellman) * [Digital Signatures](#digital-signatures) ## The First Rule of Cryptography: Don't Implement it Yourself Developing cryptography features is best left to the experts. By all means, [do feel free to tinker](http://www.cryptofails.com/post/75204435608/write-crypto-code-dont-publish-it), but don't deploy your experiments in production or share them with other developers who might deploy them in production. Instead, use a high-level cryptography library that experts have already vetted. Follow the link to read our [PHP cryptography library recommendations](https://paragonie.com/blog/2015/11/choosing-right-cryptography-library-for-your-php-project-guide).
|Cryptographic Hashes||Password Hashes|
A lot of developers will either encode or compress information and assume their solution provides the same level of security as actual cryptographic features simply because the output is not human readable. It doesn't. Encoding and compression algorithms are both **reversible, keyless transformations of information**. Encoding specifies how information should be represented in human-readable text. Compression attempts to reduce an input to as little space as possible. Both are useful, but they are not cryptographic features.
This may very well be the worst password storage function ever written.