I created a new application in apex and by default the login page got created.
Now when i run the application, what username and password should i put to enter?
I am confused as to which table stores the login and password.
The login page has itemsfor username and password and in processes uses apex_authentication.login(username item....& password item).
So how do i figure out what my username and password is?
This is my first time trying to create an apex application.
If you didn't create any additional users, then provide your workspace's username and password.
I would like to know if it's a good practice in terms of security to send the decrypted password to a new user by email. Someone could tell me his feeling?
If i would like to send the password decrypted should i use this ?
$decrypt= Crypt::decrypt($user->password);
thanks a lot in advance
You can't decrypt hashed password. The good practice is to use Laravel resetting password feature.
Once you have defined the routes and views to reset your user's passwords, you may simply access the route in your browser at /password/reset. The ForgotPasswordController included with the framework already includes the logic to send the password reset link e-mails, while the ResetPasswordController includes the logic to reset user passwords.
After a password is reset, the user will automatically be logged into the application and redirected to /home
https://laravel.com/docs/5.4/passwords
Based on the comments:
Once user is register send him/her a link to create a new password.
If you don't want to allow them to access other pages until they create a new password. Add the middleware to check whether user has create a new password or not.
From view point of security, password must be hashed value. You shouldn't use encryption/decryption for password.
http://www.omknowledgeacademy.com/administrator/
if i enter correct username and password it redirects back to login page.
I changed password in users table of super user as md5 to say A
Then i login with super user username n password that i set
the password changes automatically to something like this different each time
$2y$10$nF/d4g50h/RaMoAjK0vdLe5jFQsw/6dyTqodsnTWqd8JMTX5LdJ6i
Not able to login in admin panel
Also it redirects back to http://www.omknowledgeacademy.com/administrator/index.php
can someone please explain me the logic of forgot password procedure i.e how can I implement a forgot password logic while using codeigniter framework.
For forgot password, first take user id i.e. User email for authorizing him i.e. search in your database where any user exist of such email...
Now after authorizing, generate random password and at the same time update that database entry with random password and send that random password to the user via Email....
After user login with that user ask user to update his/her password
Currently I am developing an application with 3 roles: 1 for customers, 1 for the company employees and another one for a Super Admin.
Is it a good practice to allow Super Admin users to see/edit the users' passwords through the UI? Or should it only be modified directly through the DB?
UPDATE: I am using asp.net membership provider and MySQL. Therefore, there is a table in the DB called my_aspnet_membership which stores two fields: Password and PasswordKey. The field PasswordKey seems to be the encrypted password. However, the Password field is stored in plain text. So, can anyone tell me why this is designed in this way if it is not a good practice? Thank you all for your responses!
UPDATE: For those who asked if it really stores the password in two different fields:
Your password should not be stored un encrypted inside your database and as such, shouldn't be visible to users of the UI nor the database.
As for whether it should be modifyable, sure.
In this case the password should be re-generated through user or administrator request. Again, this should be encrypted in the database. My preference would be to auto generate the new password for the user rather than have an administrator type it themselves.
Given this, the only way to change the password directly in the database would be to encrypt it first before insertion. It's quicker to do this through an UI that deals with the encrypting.
UPDATE
In answer to your update, you should specify in your web.config that the password format be hashed:
<providers>
<add [...]
passwordFormat="Hashed"
/>
</providers>
as outlined here:
http://msdn.microsoft.com/en-us/library/ff648345.aspx
There is never a reason to allow someone to see a password they do not own, under any circumstance.
Update for the OP Update: Of course I have no way to know why your DB was designed like this. Thinking optimistically, it contains the plain password so that if a user forgets their password it can be mailed to them -- a bad excuse, but an unfortunately common one. A better alternative is to have the system mail them a freshly generated temporary password -- one which works only to allow setting of a permanent password (and does not destroy the current password until the change occurs).
No user should be allowed to see the Plaintext password of any other user whatsoever. The password must be encrypted atleast if not hashed even in the database.
You MAY allow the super admin to change any user's password, but allowing him to see it in plaintext is taboo.
EDIT: Are you absolutely certain the password field stores the password in plaintext, while there exists another passwordkey field? Because, it sounds similar to a 'salt' mechanism to me. Where, the password is first encrypted with one key, and then re-encrypted with the passwordkey field.
EDIT 2: I am now almost absolutely certain that your database is using a salted password. Salted passwords are often used to increase the security level of the database. For more information on salt, check this.
You should always save passwords encrypted. Therefore you don't have any possibility to show the superadmin the password of another user.
You should never ever store password as is in any database. Always use a hash function to save the password.
You should save all passwords encrypted in DB.. Not in plaintext!!