I want to know the file in which the passwords, for creating new user are checked for equality.
The Registration process is handled in com_users, the password fields are named password1 and password2 in the form manifest registration.xml, it has password1 set to validate="password"and password2 to validate="equals".
Depending on what exactly you want to find out, you need to reverse engineer from there.
Related
There is no option to convert hashed text back to plain text. Thats the reason why we use that method to store password - only the author of a password can know the real value - nobody else (developers and someone who can stole passwords). The popular method used to break hashed password is called "brute force attack" and is based on comparing already known hashed values of popular passwords to existing ones in database.
Now i need to show current password when user change password. but hash password cant not return back.
how to solve this issue?
convert hashed password to normal password?
Encryption is a two-way function; what is encrypted can be decrypted with the proper key.
Hashing is a one-way function that scrambles plain text to produce a unique message digest. With a properly designed algorithm, there is no way to reverse the hashing process to reveal the original password.
Now i need to show current password when user change password. but hash password cant not return back. how to solve this issue?
You do not need to show the password to anyone, including the owner of the password.
If you want to check, you can use check method, allows you to verify that a given plain-text string corresponds to a given hash.
if (Hash::check('plain-text', $hashedPassword)) {
// The passwords match...
}
I have some different requirement, i don't want to decode the password, but i am building some other app based on SAME DATABASE for LOGIN so what i can do to "encrypt the password value so that it matches the backend password encrypted code".
I want to provide LOGIN from CODEIGNITOR app where data base is created by admin app in LARAVEL ... this is the issue...
So through CodeIgnitor if someone is LOGIN the password will be encrypted equivalent hash encrypted laravel application code.
The Encrypted Password is
$2y$10$cwd15HRgON0ytqkkV5F9zupfUOkqaii7fpbB9Kjd9I7W46LRYY0Km
And the real PASSWOORD is
123456
Please help...
Caddy DZ's answer is right, but to better answer your question you should know that every time you generate a new password with bcrypt function, a new random salt is used.
This leads you to end up getting a different hash for the same password each time you generate one.
The only way you have to verify the correctness of the password, is to use a built-in php function called password_verify.
That function will hash your password (that you provide as a second argument) with the same salt that has been used to generate the stored password (the salt to use is stored in the password hash) you already have in the database:
$password = '123456';
$saved = 'your stored hash';
if (password_verify($password, $saved)) {
echo 'Correct password.';
}
You can check the documentation about password_verify
This is not standard encryption that can be decrypted, this is hashing which is only one (1) way encryption..
To make this work in, you need to use the same hashing algorithm between the two apps (Laravel and CodeIgniter)
For instance laravel uses bcrypt by default to hash the password, so you need to configure CodeIgniter to use the same or vice versa.
bcrypt for codeigniter
What I am trying to do:
I want to simulate 100 different users (username+password combinations) into the same site (that uses an integrated Auth0 login), and each user clicks a button.
What I tried:
Using other questions from stackoverflow, I created:
- a login.txt file:
and a "CSV data set config":
and a "body data" on the login page, where I tried to take the USER and PASS from the text file:
The problem:
- when I check the Request in the result tree, I can only see the correct username being taken from the login.txt file, but the password field is just ${PASS} and not an actual password:
Questions:
What am I doing wrong, as the password is not loaded from the file?
I have a lot of errors in the result tree, and I think it's because of the Auth0... do you have any guidelines on using it with JMeter?
You variable name you define is PASSWORD and not PASS,
You can call it in your test ${PASSWORD} instead of ${PASS}
Or, in the guideline it states to use ${PASS} so you can change in CSV Data Set Config the Variable Names to USER,PASS
I want to add a number of test user accounts and it's a lot faster to do it directly from the Database.
There are a couple of fields that I cannot figure out:
secret_token: How do I generate this on the fly? Is it necessary? Can I copy it from other accounts?
password: Even though I have created some accounts the normal way (register page), with the same password, the password fields are different for each user. Therefore I assume it's not a simple copy/paste case (question also applies to changing a user's password from the DB).
Any insight appreciated, thank you.
secret_token is an md5 hash, and is created by the User::generateActivationToken() method. It is used for special account activities like email verification, password reset, and password creation for new accounts.
password is a 60-character salted hash generated by password_hash using the bcrypt function. Since the salt is randomly generated each time a password is created, it will be different from user to user, even if their plaintext passwords are exactly the same. Indeed, this is the purpose of using a salt.
If you are just setting up test accounts for development purposes, you can leave secret_token empty and use password_hash to generate passwords (perhaps by running a custom PHP script from the command line).
If you need to generate accounts in bulk for real users, you may want to set a secret_token but leave the password empty, generate a "password reset" event for each user, and then send them a password creation email so they can choose their own passwords. This is in fact what is done in the createUser controller method:
$data['password'] = "";
...
$user = new User($data);
...
$user->newEventPasswordReset();
You can see the code for newEventPasswordReset here.
I'm trying to figure out how to view a profile-page in codeigniter. I know how to create templates and so on in CodeIgniter, but I don't know which way to go to handle "translation from username to userid" in a secure manner. This is a profile that should be viewed when the user isn't logged in (public profile).
Code snippet from my profile-controller:
$username = uri_segment(3); //Here's the actual username is stored in the url
$profile = new Profile();
$this->user_id = $profile->getUserByUserName($username);
Above seems ok, right? But when a username contains spaces, the "username-link" gets from "Gustav Wiberg" to "gustav-wiberg" (space replaced by hyphens, and the username is lowercase).
The actual link could look something like this: http://www.domain.com/profile/gustav-wiberg
But if I check this link with uri_segment I get username "gustav-wiberg" and not "Gustav Wiberg" which is the REAL username I want to compare with (by getting the return value of $profile->getUserByUserName($username);.
Am I taking the wrong approach to this? Or is it ok approach based on each username must be unique.
I could just do a replacement from uri_segment "gustav-wiberg" by capitalizing each word and replacing hypens with space and then do my query to check id for that username?
Please give me any pointers...
Either you can put a check while creating the username that there should not be spaces i.e. User can create a URL friendly username.
Or as you mentioned, you can do a replacement from uri_segment. But thinking of different scenarios, this approach can create issues so it seems its better to create a url friendly username.
One more option is you can add one more field in DB along with the username, say "slug". Wherein you can convert the username to URL friendly name and store. And check for that name while retrieving.