EDIT- The server currently hashes the incoming cleartext user password and compares that with the hash that is stored in the server. My problem is that my application is sending the password already hashed, so when the server tries to hash it again, it obviously doesn't match the cleartext password's hash stored with the server.
An example-
Let's assume the password to be abc and the hash to be
ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad
Normally the LDAP server receives abc as password, computes the hash
and compares it with what it has stored and it is matched.
My Case: Instead of sending abc, I'm now sending it's hashed form
ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad. Now the server hashes this which results in
b6291ce396cb2fd46f4a5410b4f9a739ae89e182fc0bd0fc7f8d064e5bfe35e9, obviously different from the actual hash of abc and the source of my
problem.
Related
I am working on a function that allows a user to check if their existing device contacts are using our platform, based on phone numbers.
For privacy and security, we are hashing the user's contact's phone numbers on device (salted with the user's id) before sending to our server.
Server side, we then need to hash our entire contacts table (using the user's id as a salt), which is currently being done in a for loop.
We then check this list against the request list, and return the details for any matches.
However, I'm sure there is a more efficient way of doing this, something like computing the hash in a calculated field then including the $request->hashes in a "whereIn" clause.
Could someone give me a pointer on the best approach to be taking here?
The question is, what privacy and security are you achieving by sending hashed value of contact number?
You are hasing the contact in client side(device), that means you are using a key and salt that is available in clinet side already. How can that be a security feature?
If you want to search hashed value in database then it's better to save hashed contract number in a column in the first place. So you can directly run where query in database table.
Ideally, if you really concern about user's contact number you should:
Encrypt the user's contacts in backend/databse not in frontend.
If you need to query for a field in database then you should make a hash valued column that can be matched easily. I mean searchable fields should be hashed so you can run direct query.
Nothing to worry about user's contact security in frontend if you are already passing it trhough Secure HTTP(HTTPS).
Even it a common practice in the industry, to pass a submitted plain password via HTTPS when a user submit it in frontend. It shouln't be a concern of privacy or security.
I need to hash and salt user entered passwords and store it in the database. I also need to validate the hashed & salted password when a user login to the site.
I read from the following adobe blog by David Byers:
https://coldfusion.adobe.com/2020/04/best-practices-secure-password-storage-coldfusion/
This blog explains and gives sample codes on how to hash and add salt to user password with screen shots.
My First question is:
Do I need to create two columns in my database table to store the hashed password and the salt just like how he explained in this blog?
If yes,
than my second question is:
How do I validate user password that's been hashed and salted? If the values of hashed and salted password are separated in two columns like that do I have to concatenate the two strings when validating?
My last question is:
How to authenticate/validate user password when the password is hashed and salted? is there any codes example I can see? Thank you
I have Spring Boot Security app with login form which works with BCryptPasswordEncoder.
My user has password 100.
So what I should put as a password in login form - hash of number 100?
like $2a$12$X.omeLbXLKHzA9Hp5hNY8.Buc0Fuisz6eG0gyizubZPu0l2pgwKM.?
If user's password already exists in DB as a hash, just put 100 as a password. Spring Security automatically gets hash of your input and compares it with DB hash.
I'm trying to understand how spring security can match the raw password entered by user with the encoded password in the database in the case of random password salting by BCryptPasswordEncoder.
My questions: AFSK bcrypt(random salt + password) = random encoded password, so since bcrypt is a one-way hashing function and the encoded password is fixed in the database, I guess spring security will somehow get the salt while encoding password and before check matches using BCryptPasswordEncoder:boolean matches(java.lang.CharSequence rawPassword, java.lang.String encodedPassword), right?
If so, where the salt is stored, in the database or somewhere else?
If salt is in the database, how to defend against cracking if the database is exposed?
The salt is stored in the same column as the hashed password. Salts are not considered to be secret. Since each is unique it prevents pre-calculating rainbow tables.
If you want higher security, consider peppering (password stays in application and HMACs the salted hashes)
I have 2 database tables consisting of 2 different user types.
Users and Players.
Players is with user data from in-game plugin where passwords are BCrypted.
Users one is empty and is intended to store the user info from the Players table.
I am comparing the usernames and passwords.
The problem is that from the user input in the website get plain text password, and from the other table the passwords are already bcrypted and the Laravel bcrypt does not match the bcrypted cipher from Players table.
What are my options to compare the passwords in order to confirm that this is the user trying to log in.
In-game plugin cipher:
$2a$10$lpVYpSJ4O6Mt03eItJeipOWR8LGHP8dgk4a09.e6BFKVoYNAgjz86
Laravel plain text bcrypted:
$2y$10$yZoq3xBsfow49pL6UyGD2.5NKlmHOmfnCFc9JD5ZjDz3pf5K1XMhG
Both passwords are the same.
Try using Hash::check() function to compare plain password and hashed password.
if (Hash::check('plain-text', $hashedPassword)) {
// The passwords match...
}
I found a solution, by using a library which helped me integrate the plugin on my website.
On top of that I had to do some minor configurations in the config file of the plugin. Changing the encryption method, so it matches the one in my Laravel application (BCrypt).
Later on I found out that I don't need to decrypt the password but just compare the hashes.