I have a table in database with this structure:
Username
Password
Age
email
Address
Phone Number
I want to store this table's data manually(not by an input from a program) in the data base so that i can fetch it later for further use.
I want to store the password in the database in the encrypted form so that nobody can see the password.
How can i do this ?
I think you can go to the following site and check it out:-
http://docs.oracle.com/cd/E18283_01/network.112/e10746/asotrans.htm
You can use Master Encryption Key.It is implemented in a lot of places where user details should not be misused such as credit card no.
Related
I am working on a function that allows a user to check if their existing device contacts are using our platform, based on phone numbers.
For privacy and security, we are hashing the user's contact's phone numbers on device (salted with the user's id) before sending to our server.
Server side, we then need to hash our entire contacts table (using the user's id as a salt), which is currently being done in a for loop.
We then check this list against the request list, and return the details for any matches.
However, I'm sure there is a more efficient way of doing this, something like computing the hash in a calculated field then including the $request->hashes in a "whereIn" clause.
Could someone give me a pointer on the best approach to be taking here?
The question is, what privacy and security are you achieving by sending hashed value of contact number?
You are hasing the contact in client side(device), that means you are using a key and salt that is available in clinet side already. How can that be a security feature?
If you want to search hashed value in database then it's better to save hashed contract number in a column in the first place. So you can directly run where query in database table.
Ideally, if you really concern about user's contact number you should:
Encrypt the user's contacts in backend/databse not in frontend.
If you need to query for a field in database then you should make a hash valued column that can be matched easily. I mean searchable fields should be hashed so you can run direct query.
Nothing to worry about user's contact security in frontend if you are already passing it trhough Secure HTTP(HTTPS).
Even it a common practice in the industry, to pass a submitted plain password via HTTPS when a user submit it in frontend. It shouln't be a concern of privacy or security.
I'm planning to move my website to Laravel 7 framework, but many users already have passwords set and I don't know which hash type was used.
Should Laravel be able to detect the hash type when checking the password ? Can I have passwords with different hashing types stored in the password column of the user database ?
I have 2 database tables consisting of 2 different user types.
Users and Players.
Players is with user data from in-game plugin where passwords are BCrypted.
Users one is empty and is intended to store the user info from the Players table.
I am comparing the usernames and passwords.
The problem is that from the user input in the website get plain text password, and from the other table the passwords are already bcrypted and the Laravel bcrypt does not match the bcrypted cipher from Players table.
What are my options to compare the passwords in order to confirm that this is the user trying to log in.
In-game plugin cipher:
$2a$10$lpVYpSJ4O6Mt03eItJeipOWR8LGHP8dgk4a09.e6BFKVoYNAgjz86
Laravel plain text bcrypted:
$2y$10$yZoq3xBsfow49pL6UyGD2.5NKlmHOmfnCFc9JD5ZjDz3pf5K1XMhG
Both passwords are the same.
Try using Hash::check() function to compare plain password and hashed password.
if (Hash::check('plain-text', $hashedPassword)) {
// The passwords match...
}
I found a solution, by using a library which helped me integrate the plugin on my website.
On top of that I had to do some minor configurations in the config file of the plugin. Changing the encryption method, so it matches the one in my Laravel application (BCrypt).
Later on I found out that I don't need to decrypt the password but just compare the hashes.
In my application I have an administrator who can create Tournament objects. When the object is created the service also creates a user (based on the tournament director's info which was entered at creation). The username for the user is the director's e-mail, the password is randomly generated and then mailed to the director.
When the director logs on with his e-mail address and password, I need to be able to link him to his own tournament, in order to only allow him to edit his own tournament's details. I have tried to find a way to store the TournamentId in the default ASP Net Users database, but was unsuccessful.
I had a look at this SO question which would certainly help me, but I can't figure out how it would apply to my problem. When the user logs on, I can't put the TournamentId in the userdata seeing as I don't know it.
Should I then do a lookup in the Tournament table to see which ID corresponds to the email address entered at login and store that in the userData? It seems quite unelegant this way.
I guess you should have a CreatedBy column in your Tournament table where you store the ID of the user who created the tournament. Then when the user logged in, get his id ( may be from session ,if you store it there), Do a select query where CreatedBy=loggedInUserId .That should do the trick.
I'm working on a Razor project and need to integrate an existing User database into the SimpleMembership Provider DB Schema. This is done by specifying my existing User table and which columns are to be used by the SimpleMembership API for the Username and UserID.
WebSecurity.InitializeDatabaseConnection("DB_ConnStr", "User", "UserId", "Username", true);
In the process though, I am populating the webpages_Membership table with a new record for each User row in my existing database. This has gone fine and I have written some code to handle the inserts for each existing user.
During the insert, I use a dummy encrypted password token for simplicity and set the password to be the same for everyone. Then I need to run another script over the records to set the correct password for each user in the webpages_Membership table. This involves decrypting the current password from the existing User table, and then calling:
WebSecurity.ChangePassword( username, dummyPwd, newPwd)
on each user, passing the decrypted current password as the 'newPwd' parameter.
This works fine in 99% of the cases that it's called - for over 100,000 records. But it is failing in about 40 cases.
What reasons could cause this method to fail?
My first guess would be that the hash of the new password might be exceeding the 128 character limit.
When the ChangePassword call fails, can you catch the exception to get details behind the reason of the failure?