I'm planning to move my website to Laravel 7 framework, but many users already have passwords set and I don't know which hash type was used.
Should Laravel be able to detect the hash type when checking the password ? Can I have passwords with different hashing types stored in the password column of the user database ?
Related
I am working on a function that allows a user to check if their existing device contacts are using our platform, based on phone numbers.
For privacy and security, we are hashing the user's contact's phone numbers on device (salted with the user's id) before sending to our server.
Server side, we then need to hash our entire contacts table (using the user's id as a salt), which is currently being done in a for loop.
We then check this list against the request list, and return the details for any matches.
However, I'm sure there is a more efficient way of doing this, something like computing the hash in a calculated field then including the $request->hashes in a "whereIn" clause.
Could someone give me a pointer on the best approach to be taking here?
The question is, what privacy and security are you achieving by sending hashed value of contact number?
You are hasing the contact in client side(device), that means you are using a key and salt that is available in clinet side already. How can that be a security feature?
If you want to search hashed value in database then it's better to save hashed contract number in a column in the first place. So you can directly run where query in database table.
Ideally, if you really concern about user's contact number you should:
Encrypt the user's contacts in backend/databse not in frontend.
If you need to query for a field in database then you should make a hash valued column that can be matched easily. I mean searchable fields should be hashed so you can run direct query.
Nothing to worry about user's contact security in frontend if you are already passing it trhough Secure HTTP(HTTPS).
Even it a common practice in the industry, to pass a submitted plain password via HTTPS when a user submit it in frontend. It shouln't be a concern of privacy or security.
I have 2 database tables consisting of 2 different user types.
Users and Players.
Players is with user data from in-game plugin where passwords are BCrypted.
Users one is empty and is intended to store the user info from the Players table.
I am comparing the usernames and passwords.
The problem is that from the user input in the website get plain text password, and from the other table the passwords are already bcrypted and the Laravel bcrypt does not match the bcrypted cipher from Players table.
What are my options to compare the passwords in order to confirm that this is the user trying to log in.
In-game plugin cipher:
$2a$10$lpVYpSJ4O6Mt03eItJeipOWR8LGHP8dgk4a09.e6BFKVoYNAgjz86
Laravel plain text bcrypted:
$2y$10$yZoq3xBsfow49pL6UyGD2.5NKlmHOmfnCFc9JD5ZjDz3pf5K1XMhG
Both passwords are the same.
Try using Hash::check() function to compare plain password and hashed password.
if (Hash::check('plain-text', $hashedPassword)) {
// The passwords match...
}
I found a solution, by using a library which helped me integrate the plugin on my website.
On top of that I had to do some minor configurations in the config file of the plugin. Changing the encryption method, so it matches the one in my Laravel application (BCrypt).
Later on I found out that I don't need to decrypt the password but just compare the hashes.
I have a table in database with this structure:
Username
Password
Age
email
Address
Phone Number
I want to store this table's data manually(not by an input from a program) in the data base so that i can fetch it later for further use.
I want to store the password in the database in the encrypted form so that nobody can see the password.
How can i do this ?
I think you can go to the following site and check it out:-
http://docs.oracle.com/cd/E18283_01/network.112/e10746/asotrans.htm
You can use Master Encryption Key.It is implemented in a lot of places where user details should not be misused such as credit card no.
I am a newbie of the CI framework. I am trying to understand what session id is for. Here is the description from CI doc:
The user's unique Session ID (this is a statistically random string with very strong entropy, hashed with MD5 for portability, and regenerated (by default) every five minutes)
I am just wondering under what occasions I should use this.
Thanks
The session ID in CodeIgniter is essentially either;
if using a database for session storage: a random hash (string) that references the session data in the database so CodeIgniter knows what data belongs to who
if not using a database; an encrypted set of data that CodeIgniter uses (that you can leverage as well) to track the user (eg. if logged in, a user ID)
Is there any way to allow spaces in user names Name Givenname and characters like ščťžýáíéúô (any UTF-8 characters) in CodeIgniter Tank Auth library?
I was browse code but I do not know hot to allow it? And aloso I need to allow duplicate usernames (need only email to be unique).
EDIT:
When I trying to register new user I get this error.
http://i.stack.imgur.com/jhxEO.png
I don't think Tank Auth places any restrictions on spaces/characters in the username, it's more likely to be the collation on your users table. Tank Auth uses SQL LOWER() functions to compare usernames to input, so SQL LOWER('whatever is in the DB') must equal PHP strtolower('whatever the user entered').
If your users table is not defined with collation UTF8_GENERAL_CI, try changing it to that.
If that doesn't fix it, the code in models/tank_auth/users.php is very simple, so you can easily adapt it to meet your needs.