I am using PHP 5.5.27 and Codeigniter3 to developed my code.
I used password_hash() to encrypt my password and store it in database. Also password varchar(255) is column size.
When I entered plain (unhashed) password then codeigniter validation run properly. But If I used hashed password (in text format) then form validation fails. Also If I used wrong password then also it works properly.
How can I solve this problem and make it work for hashed password also?
Related
I have default auth implemented in Laravel 7 and works like a charm.
However, I have a very peculiar requirement wherein, the password shouldn't even travel in plain text although SSL is implemented on network.
One way would be to handle it via javascript on login page wherein I encrypt the value of password and send the same to server and then decrypt the same in php before handing it to laravel attemptLogin method.
However, I am not so sure about this approach.
Any help would be awesome.
Solution:
On client side, used crypt.js/aes.min.js and encrypted the password using a key and iv.
In login controller, overrode credentials method and decrypted using openssl_decrypt before passing on to hash check.
This is already discussed on this answer:
It is standard practice to send "plaintext" passwords over HTTPS. The
passwords are ultimately not plaintext, since the client-server
communication is encrypted as per TLS.
And this one:
If you hash on the client side, the hashed password becomes the actual
password (with the hashing algorithm being nothing more than a means
to convert a user-held mnemonic to the actual password).
This means that you will be storing the full "plain-text" password
(the hash) in the database, and you will have lost all benefit of
hashing in the first place.
You may also read this answer for more security options.
I solved it as below:
On client side, used crypt.js/aes.min.js and encrypted the password using a key and iv.
In login controller, overrode credentials method and decrypted using openssl_decrypt before passing on to hash check.
I followed this tutorial to create dynamic email settings stored on db.
https://kayike.medium.com/enable-unique-and-dynamic-smtp-mail-settings-for-each-user-laravel-48e320d381ec
The only problem is that the password is not encrypted. I would like to encrypt it before storing on db and decrypt it before using on MailServiceProvider.
I tried to use bcrypt but it can't be de-crypted. Any suggestions?
Thanks
see the docs for encryption: https://laravel.com/docs/8.x/encryption
encrypting password:
$encrypted = crypt::encryptString($password);
//store this to database
decrypting password:
$decrypted_password = crypt::decryptString($encrypted);
//use this for mailer settings
Note: don't forget to use namespace Illuminate\Support\Facades\Crypt;
in the controller
Additional Note for bcrypt:
encryption-decryption is different than hashing, bcrypt is a hashing formula which can't be decrypted (one way process).
consider this scenario :
User receives a reset password link by email.
He clicks the 'reset password' link in his email and he will be redirected to password reset page that only he has access to due to the token in the URL . As you all know this token is stored in password_resets table with the email of the user .
I want to make the access to this page concerns only the user that clicked to the link in his email , so i have to compare the token in the URL with the token stored in 'password_resets' table ,and as Laravel uses a Hasher to encrypt the token before storing it and can't compare the two tokens .
Do you have any ideas how to fix this ?
simply get the token from the url and hash it then compared the hashed token with the token in the database. This is how passwords are checked the hashed passwords in the database are not reversible you compare the hashes not the plain text password
There is a Hash function built into Laravel, not sure what system your token generator is using but chances are it is using the Hash function in Laravel
I have an application using Parse to store server side data. I apply rules to the entry of a password using a regex successfully. However when I use Parse's PFUser.requestPasswordResetForEmailInBackground function the user is emailed a password reset URL which allows any password to be entered in the reset. The problem is that when the user returns to log into the application with their new password it may not conform to the rules set in the regex. How can I enforce password rules in Parse?
I need to decode a password that was encoded using the org.springframework.security.authentication.encoding.PasswordEncoder.encodePassword method. Basically, application "A" maintains the encoded/encrypted password in its database. Application "B" makes a RESTful call to application "A" to get the userid and password (passes password as encoded/encrypted) and then application "B" needs to view the clear text version of the password, how would it decode it?
The mentioned class "org.springframework.security.authentication.encoding.PasswordEncoder.encodePassword" seems to use digest function to encode the password. Because all the digest function are mentioned to be one way only it is easy to make encoded password from the clear text but almost impossible to obtain unencrypted version from the digest.
If you want to authenticate user just encrypt the password and compare it to it's stored encrypted version.
Other option can be reseting the password (replacing value stored in application "A").
If you insist on unencrypted password in application "B" from the digest, you have to crack it, which can be time consuming operation...