I would like to know if it's a good practice in terms of security to send the decrypted password to a new user by email. Someone could tell me his feeling?
If i would like to send the password decrypted should i use this ?
$decrypt= Crypt::decrypt($user->password);
thanks a lot in advance
You can't decrypt hashed password. The good practice is to use Laravel resetting password feature.
Once you have defined the routes and views to reset your user's passwords, you may simply access the route in your browser at /password/reset. The ForgotPasswordController included with the framework already includes the logic to send the password reset link e-mails, while the ResetPasswordController includes the logic to reset user passwords.
After a password is reset, the user will automatically be logged into the application and redirected to /home
https://laravel.com/docs/5.4/passwords
Based on the comments:
Once user is register send him/her a link to create a new password.
If you don't want to allow them to access other pages until they create a new password. Add the middleware to check whether user has create a new password or not.
From view point of security, password must be hashed value. You shouldn't use encryption/decryption for password.
Related
I would need a readout of joomlas user password in plain style to give special users the ability to send a mail in a custom module with login details like:
https://mydomain/login?user=testuser
password = testuserpassword
For that reason I need the plain passowrd out of the DB. Is there a way to show/read out password from joomla-db in plain style?
Thx in advanced!
Joomla saves the passwords in the database using a one way encryption mechanism, which means that you cannot know what the password is.
I am sure what you're doing can be done in a different method - if you want to login users automatically once they click on a link then you can have a different authentication plugin that will use a random, unique, one-time-use, and time-sensitive hash that will be associated with a Joomla user account.
You need to create a plugin with function after joomla user save
you need to store password in another table with user id and then you can use with sql query to get password.
This is a bad idea for the following reasons:
email is sent in plain text
email often is stored on several systems along the way to your mailbox
email often is stored on your computer in plain text or other unencrypted format
many copies may exist in many places, even after "deletion"
even encrypted email can be broken in to, given enough computing time
your account's security may have been compromised even before you read your email (changing the password will not help in this case)
However, you definitely can email the user their password upon initial registration by going to Global Configuration > Users and setting Send Password to "Yes" (default setting in Joomla 3.x).
If you are looking for a way to send this password after the registration event, as others have mentioned, you are out of luck. What Joomla! provides is a secure password reset functionality to reset a password to something the user can remember. This will be the best approach for you, as well.
Resources: Sending Passwords in Email, Stop Joomla Sending Passwords in Emails
In my database 15 users are have their login and password. If any user change their password then we don't know the users current password. I want to save the password of each users that admin have the only permission to view.If any user changed their password, then admin can know their password, because if we want to login with particular user then it results wrong password.
or
when I login to odoo there is no option to save the password, the username is restore but I want to keep the password automatically fill in the field, does anybody know how to do it?
Thanks........
It's not a good idea to save a password unencrypted in your database.
I'd suggest to take a look at the auth_admin_passkey module.
This would give you the possibility to login at all useraccounts with the admin password.
If you really want to save the new password you could override the write method from res.users and check for the field "password". this way you could save the password to your desired field before it gets encrypted.
I'm using Parse javascript API. If a user has logged out, I will not have a 'currentUser'. Therefore, when I try to use the Parse.User.requestPasswordReset call, it will not work. Is there another way to offer users a way to reset their password if they have been logged out? It seems strange that having a currentUser is required.
It isn't required. You don't say why you think it is, but only an e-mail address is required in order to request a reset (as the result is an e-mail being sent to the user). It's normal to simply have the user type their e-mail address in to trigger the reset logic. Indeed if the user was logged in you would need to be careful about allowing e-mail address editing and then password reset selection...
can someone please explain me the logic of forgot password procedure i.e how can I implement a forgot password logic while using codeigniter framework.
For forgot password, first take user id i.e. User email for authorizing him i.e. search in your database where any user exist of such email...
Now after authorizing, generate random password and at the same time update that database entry with random password and send that random password to the user via Email....
After user login with that user ask user to update his/her password
I'm using the MVC forms log in which works ok, but I need to call a data service which requires the same Username and Password combination from within a controller.
Using HttpContext.User.Identity.Name I can get the name, but what about the password? Is there any way to retrieve this after the user has already logged in?
First of all, you shouldn't be storing passwords in your application. Membership provider doesn't store the password in clear-text anywhere. All you have in database is salted hash. There is no way to obtain user's password after they logged in.
You would need to get the password from the Login action or create a custom MembershipProvider.
But consider changing the design if possible so you don't have to keep clear-text passwords. Once the user has been authenticated you know who it is, and lower layers in your application can trust upper layers with passing the authenticated principal to them. Otherwise why would they trust with passing correct username/password pair?