I have a running application that uses client-side Sha256 hashing.
I would like to use Laravels serverside bcrypt hashing instead.
My strategy is to wrap all passwords with bcrypt, so I have bcrypt(sha256('password')), and then rehash the password when the user attempts to log in, so I simply have bcrypt('password').
My problem is authenticating the user when they try to log in with a Sha256 password.
I try to authenticate them by running
if (hash('sha256', 'password' . 'salt') == $stored_pw)
But with no luck. I'm only fairly certain that the client-side hashing simply appends the salt, and I'm unsure if Laravels hash function adds a salt of its own.
Here's a hash created by the client from the password 1234567: $5$a0FpUG9JUgkj1d6H$eSSzXebYU87wPAWSTRJGyWw/kOMgDvPqcri4CI1QCV0
I am trying to recreate the same hash using the salt, the password, and Laravels hashing functions.
How do I specify that the Sha256 function should use a specific salt?
Try.
use phpseclib\Crypt\Hash;
or
use Hash
\Hash::make($request->password);
or
$hash = Hash::make('secret');
$input = 'secret';
if(Hash::check($input, $hash)){
// the input matches the secret
}
I use a helper
if (!function_exists('genSSH512')) {
function genSSH512($value)
{
$salt = Str::random(8);
return base64_encode(hash('sha512', $value.$salt, true).$salt);
}
}
Laravel has dedicated Facade Support for this:
use Illuminate\Support\Facades\Hash;
$hash = Hash::make($string);
if (Hash::check($stringYouWantToCompare, $hash)) {
return true; // Valid
}else {
return false; // Invalid
}
Related
by default the password reset token emailed to email is different from one being saved to database. I have used the Hasher::make() and hash_hmac('sha256', $token, env('APP_KEY')) to hash that and then compare that token to database but invain. what should i do to transform emailed token to database token or compare them?
I also tried
public function convertToken($token)
{
if (Str::startsWith($key = env('APP_KEY'), 'base64:')) {
$key = base64_decode(substr($key, 7));
}
return hash_hmac('sha256', $token, $key);
}
The Hasher used by the Laravel default implementation can be retrieved with
$hasher = Password::broker()->getRepository()->getHasher();
You can then hash your token to add them to your database like this :
$hasher->make($token);
And you can check a token against the value stored in your database with this code :
$hasher->check($token, $databaseToken);
But why do you want to implement yourself what Laravel team has already done ? You'd better use Laravel default authentication, unless you do this for fun.
I want to allow the user to generate custom keys to encrypt their message before sending it. The user will need to see the generated key first but when I pass it to the blade, it doesn't get displayed because it's not a string I guess. I Couldn't find a way to display it.
public function index(){
$cipher = 'AES-128-CBC';
$key = Encrypter::generateKey($cipher);
return view('dashboard.compose',compact('key'));
}
I am developing a sales system where every user has an account. To authenticate users I store passwords with bcrypt and use the Laravel Auth library as follows:
$data = $request->only('user', 'password');
if (\Auth::attempt($data)){
#redirect dashboard
}
In the Point Of Sale screen, user can add special products that require a PIN (The PIN is the password of some users with privileges).
When i call a button click to save the sale, in my Request class i add this validation (i only need to check if there are some special products, and if, check the PIN that have to match in the DB), i use this code:
$allowed_pin = true;
foreach (Request::get('products') as $product) {
if($product["special_perm"] === "1"){
$pin = $product["pin"];
$user = User::where('password', '=', bcrypt($pin))->first();
if ($user) {
$allowed_pin = true;
} else {
$allowed_pin = false;
}
}
}
The problem is when i compare password in Request class, if i use dd() it show me "$2y$10$AasS5/FTWv28PmYuABfqve4Ao6m1U9zxdUE6ZoHJWcfpn19sd4wcG" and real password hashed in database is "$2y$10$DmefHppecIjuanjRbcj82OPyjhi.L0/4YGd62LYCvkDTGjXxL25fG"
and they not matching.
Does Auth class use some internal encryption different to bcrypt?
To compare the plain text password with the encrypted one, use Hash::check('plain-text', $hashedPassword)
Check out the Laravel docs: https://laravel.com/docs/5.4/hashing
How to use MD5 instead BCrypt for password in Laravel 5.3?
I am not sure why no one has mentioned this yet but, You should not be using MD5 to protect passwords at this point. If that is what you are doing, you may as well just leave them plain text.
In Laravel 5.3 you can change bcrypt() to MD5 related logic in the RegisterController.php and override login() method in LoginController.php to manually authenticate users using MD5 related logic.
Using md5 instead bcrypt is not legit, though you can achieve this quite easily.I did it in my lumen project which is miniframe of laravel
go to folder like vendor-->illuminate--> auth--> EloquentUserProvider
in EloquentUserProvider rewrite this like below codes
public function validateCredentials(UserContract $user, array $credentials)
{
$plain = $credentials['password'];
if(md5($plain)==$user->getAuthPassword())
{
return true;
}
else{
return false;
}
}
and when you are creating user take password input as password'=>md5($request->input('password'))
if youre using JWT you can generate token also $token=app('auth')->attempt($request->only('email','password'));
My Symfony application loads its user entities from the database. Here's the entry in security.yml:
security:
encoders:
MyProject\MyBundle\Entity\UserEntity:
algorithm: bcrypt
providers:
main:
entity:
class: MyBundle:UserEntity
property: username
When I implemented this I followed Symfony’s recommendation to store a unique salt for each user, using it whenever the password is encoded:
$encoder = $this->get('security.encoder_factory')->getEncoder($user);
$encodedPassword = $encoder->encodePassword($form->getData()->getPassword(), $user->getSalt());
if ($encodedPassword === $user->getPassword()) {
// Success
}
Symfony 3.0 no longer allows you to pass a salt, so I’ve updated my logic:
$encoder = $this->get('security.password_encoder');
$encodedPassword = $encoder->encodePassword($user, $form->getData()->getPassword());
if ($encodedPassword === $user->getPassword()) {
// Success
}
But encoding without the salt obviously doesn't work. Is there any way I can get my users password working on 3.0, short of asking every one of them to reset their credentials?
The issue was that I wasn't using the isPasswordValid function. This recognises the salt that is now stored within the bcrypt encrypted password:
$encoder = $this->get('security.encoder_factory')->getEncoder($user);
$passwordValid = $encoder->isPasswordValid(
$user->getPassword(),
$form->getData()->getPassword(),
null
);