I have hashed password in my database. actually I have to convert this password to normal text.
Below is my password,
'6fad15b73f04cba8fd65da0d621fa42eff61001b'.
I have tried like below but its not working,
$enc = "6fad15b73f04cba8fd65da0d621fa42eff61001b";
$dec = base64_decode ($enc);
echo $dec;die;
Base64 encoding is something completely different than hashing.
You can read about base64 here:
https://en.wikipedia.org/wiki/Base64
And about hashing here: https://en.wikipedia.org/wiki/Hash_function
Or search the infromation by yourself (also recommend video about hashing from computherphile channel on youtube).
Long story short: there is no option to convert hashed text back to plain text. Thats the reason why we use that method to store password - only the author of a password can know the real value - nobody else (developers and someone who can stole passwords). The popular method used to break hashed password is called "brute force attack" and is based on comparing already known hashed values of popular passwords to existing ones in database.
Way of logging to application is most commonly based on hashing the password a user typed in during logging in and comparing if its value equals the value already existing in database. The plain value of password should not be stored in any kind of long term memory in application.
Its practically impossible for you to convert hashed password back.
Also I recommend to read about differences between encoding and encryption and hashing. Here is concise article about that: http://www.differencebetween.info/difference-between-encryption-encoding-and-hashing
A hash cryptographic function is a one way function which means that you can convert your password to a hash, but you can not easily convert your hash to a password.
Related
I use codeigniter a lot, however I am not really understanding why when I use the encryption library in version 3 the encryption string never comes out the same, even using the same salt/key.
So I have stored a user password as an encrypted string, which uses their own key to encrypt. The key is stored in the database. But when they come to login, and i want to encrypt the entered password to check the strings match, they never do match!
It seems the library always spits out different encrypted strings, no matter if the key is the same or not, how is this going to be useful if I can't match the stored encrypted password to the password they enter at login?
For example, password is 12456 with key a0956f251b9d957071005a2d11e4630a
SAVED PASSWORD IS: 0e6effa48949d6bf19e84530bc86e9a1407086b3b88fc368b6f8b7b53304b313eeebdb695c9cca10b3e7072f608bf4137e7fcc7d24fed54df2b6dcba3f94dcb6Tm05Qmay9G8JuUXps6UstWebmBmJ71BcIPgrW78OvSY=
PASSWORD GENERATED FROM USER LOGIN
6b893dac92155bc663b126b805c7189214ac4667b226f0c6fc22cf0c6bcca5e897c49961e8852ade1c3e85cbecab89df76ea7891727af6bf0bcc232b75d0d441LLUMZgOy4zLwAypuVQuK0lKTXrlXYptKpVdByytH2D8=
935c8f564c4a5ecb53510faa835eca8622069c34d534df6b9c2ea52de2d9bea5976128f6ff83a572ac677be4ebd690bc18e488518c2eed8b1b40a16c9e61d6b2hbKJ6B1VDuLPCXBeDDFzvrlSBIYCtN19M6dQGZRCvUE=
b8e020c7c10d564cfc3a9cc4d50b85ea3422422b73a2dd79930ead1fb601493279ba97645584d6dfa188e62f5eba5dc66d0dafdb7a82c08bf847bc84fc0718daSOVRrDlFmVMB/12ok9kR68ekXJcJvw0yfo/cnU9ojtI=
see they are different every time I try to encrypt the user input? It's not making any sense.
Likewise, if I try to decode the password in the database, with the same key it was encrypted with, I get nothing back, no decrypted password.
So, does anyone know what is going on here?
Randomized encryption is a security property necessary to achieve semantic security. If the encryption would not be randomized then an attacker might detect whether (prefixes of) messages were previously sent only by observing the ciphertexts. You generally don't want the attacker to know anything about the plaintexts except the length.
An encryption function has always a corresponding decryption function. It seems that you're only using one way of the two functions. You should never encrypt your user's passwords. You need to use hashing instead with some strong ones being PBKDF2, bcrypt, scrypt and Argon2. Since hash functions are one-way function, you won't be able to "decrypt" the hashes. In order to authenticate your user, you can run the password through the hash function again in order to compare with the hash that is stored in the database. See more: How to securely hash passwords?
Codigniter documentation:
DO NOT use this or any other encryption library for user password
storage! Passwords must be hashed instead, and you should do that via
PHP’s own Password Hashing extension.
http://www.codeigniter.com/userguide3/libraries/encryption.html
Fully explained here:
http://php.net/manual/en/faq.passwords.php
Try the md5 encryption its good and best till now.
In controller before send password like this:
md5($this->input->post('password));
or use hash() or SHA256/SHA512 they do it well.
It will do the trick.
Enjoy!
I use codeigniter a lot, however I am not really understanding why when I use the encryption library in version 3 the encryption string never comes out the same, even using the same salt/key.
So I have stored a user password as an encrypted string, which uses their own key to encrypt. The key is stored in the database. But when they come to login, and i want to encrypt the entered password to check the strings match, they never do match!
It seems the library always spits out different encrypted strings, no matter if the key is the same or not, how is this going to be useful if I can't match the stored encrypted password to the password they enter at login?
For example, password is 12456 with key a0956f251b9d957071005a2d11e4630a
SAVED PASSWORD IS: 0e6effa48949d6bf19e84530bc86e9a1407086b3b88fc368b6f8b7b53304b313eeebdb695c9cca10b3e7072f608bf4137e7fcc7d24fed54df2b6dcba3f94dcb6Tm05Qmay9G8JuUXps6UstWebmBmJ71BcIPgrW78OvSY=
PASSWORD GENERATED FROM USER LOGIN
6b893dac92155bc663b126b805c7189214ac4667b226f0c6fc22cf0c6bcca5e897c49961e8852ade1c3e85cbecab89df76ea7891727af6bf0bcc232b75d0d441LLUMZgOy4zLwAypuVQuK0lKTXrlXYptKpVdByytH2D8=
935c8f564c4a5ecb53510faa835eca8622069c34d534df6b9c2ea52de2d9bea5976128f6ff83a572ac677be4ebd690bc18e488518c2eed8b1b40a16c9e61d6b2hbKJ6B1VDuLPCXBeDDFzvrlSBIYCtN19M6dQGZRCvUE=
b8e020c7c10d564cfc3a9cc4d50b85ea3422422b73a2dd79930ead1fb601493279ba97645584d6dfa188e62f5eba5dc66d0dafdb7a82c08bf847bc84fc0718daSOVRrDlFmVMB/12ok9kR68ekXJcJvw0yfo/cnU9ojtI=
see they are different every time I try to encrypt the user input? It's not making any sense.
Likewise, if I try to decode the password in the database, with the same key it was encrypted with, I get nothing back, no decrypted password.
So, does anyone know what is going on here?
Randomized encryption is a security property necessary to achieve semantic security. If the encryption would not be randomized then an attacker might detect whether (prefixes of) messages were previously sent only by observing the ciphertexts. You generally don't want the attacker to know anything about the plaintexts except the length.
An encryption function has always a corresponding decryption function. It seems that you're only using one way of the two functions. You should never encrypt your user's passwords. You need to use hashing instead with some strong ones being PBKDF2, bcrypt, scrypt and Argon2. Since hash functions are one-way function, you won't be able to "decrypt" the hashes. In order to authenticate your user, you can run the password through the hash function again in order to compare with the hash that is stored in the database. See more: How to securely hash passwords?
Codigniter documentation:
DO NOT use this or any other encryption library for user password
storage! Passwords must be hashed instead, and you should do that via
PHP’s own Password Hashing extension.
http://www.codeigniter.com/userguide3/libraries/encryption.html
Fully explained here:
http://php.net/manual/en/faq.passwords.php
Try the md5 encryption its good and best till now.
In controller before send password like this:
md5($this->input->post('password));
or use hash() or SHA256/SHA512 they do it well.
It will do the trick.
Enjoy!
Below i had encrypted a string varible using sha1. And now i would wish to decrypt data using sha1 function, but am going some where. Would some one come forward and guide me in proper way please.
Below is my code
<?php
$variable = "tiger";
echo $variable;
$encrypt = sha1($variable);
echo $encrypt;
$decrypt = sha1($encrypt);
echo $decrypt;
?>
And i get output like this
tiger
46e3d772a1888eadff26c7ada47fd7502d796e07
989df2c8b5ea37eb7cfde0527d94c01a15257002
SHA-1 is an one-way hash function.
According to wikipedia
A cryptographic hash function is a hash function which is considered
practically impossible to invert, that is, to recreate the input data
from its hash value alone.
http://en.wikipedia.org/wiki/Cryptographic_hash_function
Thus you simply can not decrypt it.
simply you can use custom encoding decoding for your password if not then you can use base64_encode() to store in db and base64_decode() for using in profile etc
SHA1 cannot be derypted easily.
The only way through it is a brute-force cracker.
They're widely available online like: http://md5-sha.com/md5-encrypt-hash-generator-online
Those websites have a large database of already hashed passwords which can be very useful.
Hope it helps, have a nice day.
SHA1 hash can't be derypted but you can try online on many different sites which have hug database of password and it's SHA1 hash. So you can try below online tools :
SHA1 Decoder Online
SHA1 tool
You cannot decrypt it.
Hashing is one way only - MD5 and SHA-1 both are one-way hash functions.
You have to create new hash of the input at the login form and check if it is equal to the stored hash.
SHA-1 can't be decrypted directly. This is the idea behind it: encryption that can't be decrypted easily.
The only way to solve it is brute-force: Try to guess the correct result by encoding phrases and checking if they fit the provided phrase.
If you want to use SHA-1 for stuff like logins: Encode the entered password in SHA-1 as well and check if it's the same as one saved in SHA-1.
In short sha1() CAN be decrypted. However only fairly simple strings can be. A password with numbers, upper and lower case and special characters will prove difficult but the likes of Password12345 can be decrypted via -
https://md5hashing.net/hash/sha1
***Bit more research. sha1() does not ever change how it encrypts the characters - so for example "MyPassword that was encrypted with sha1() 6 years ago STILL gives the output of "daa1f31819ed4928fd00e986e6bda6dab6b177dc" today in 2020.
These values are obviously stored in the above website and as time goes on the library of recognised passwords grows.
If you can't decrypt and you want to show the value then use this method.
Example you are creating login form with password encrypted and want to show password to user after login in their dashboard.
then create two columns one column is for encrypted_password and one for not_encrypted_password,
$not_encrypted_password="password";
$encrypted_password =sha1("password");
$sql = mysqli_query($conn,"INSERT INTO user (not_encrypted_password,encrypted_password)VALUES('$not_encrypted_password','$encrypted_password')");
in this way you can use login for column encrypted_password and to show password in dashboard for user use column not_encrypted_password.
I was researching about hashing and storing passwords to database on PHP.NET.
This site said:
If you are for example storing the data in a MySQL database remember that varchar fields automatically have trailing spaces removed during insertion. As encrypted data can end in a space (ASCII 32), the data will be damaged by this removal. Store data in a tinyblob/tinytext (or larger) field instead.
which of this suggests are better? or may be I have to ask: Is one of them better? and if the answer is yes, which?
and finally how should I store passwords to db using PDO. I thought I can write information to a blob row just like files, but if I get the values from input, which method or function have to used?
Would you explain about please?
When storing hashed passwords, then whitespace removal is a non-issue:
You never store the passwords themselves, but the output of a hash function instead.
This hash function produces fixed-size output (or you are likely using a reversible encryption algorithm).
The output of most hash functions is already fixed-sized plaintext[1] that doesn't include any spaces. Otherwise, you are probably using a hash function not intended for password hashing.
The fixed-sized salt is stored along with the hash output (Password hashing functions which are aware of salting usually output the salt with the hashed password).
If you want to be flexible and be able to upgrade to a better hash function in the future, you also have to remember which hash function was used. It is recommendable to use plaintext[1] for this information, which makes the complete record variable-length. RFC 2307 describes such a possible plaintext[1] storage scheme.
Passwords should be hashed with a modern and proven key-stretching algorithm, but not with cryptographic hash functions like SHA-256 or MD5. Suitable algorithms include PBKDF2, bcrypt, or scrypt.
For example, hashing the string "pass phrase" with bcrypt and a new salt may produce
$2a$12$PuYHvYwgKeD.hQ1Dv6nLQuxUkv5zP3lYLPHqdMOzgwPVaGGSAs07u
`-----'`-----------······· ·········-------'
algorithm random salt password hash
parameters
The whole string can be used as salt, as the actual password hash will be cut off and not be used as salt.
Recommended workflow for validating a login attempt:
The user provides an username and password. Be careful to handle Unicode normalization and encodings.
The hashed password is fetched from the DB based on the username.
The hashed password is parsed to determine the algorithm used.
The correct algorithm is invoked with the user password as input with the hashed password as salt.
If the two hashes match, then a correct password was provided by the user.
Recommended workflow for setting a new password:
If the user already exists, authenticate him.
Obtain a new password from the user. Take care to handle Unicode normalization and encodings. Give the user feedback on the strength of his password (but do not frustrate the user with silly requirements like forbidden characters or restrictive maximal lengths).
Create a new salt, which must not depend on user input like the password or user names.
Pick a strong password hashing function and hash the password with the new salt.
Update the DB to store the new password along with an identifier for the hash function.
Further comments:
Encrypted data is binary data, and should not be stored as text (use a blob instead).
Hashes are usually often represented as plaintext and not as binary data because text is easier to store.
In many scenarios you can use OpenID instead of implementing your own authentication. E.g. Stack Exchange offers login with OpenID. Because I use this option, I never had to disclose a password to SE.
I have no cryptographic background. Information Security is frequented
by people who understand more of the matter.
[1] Here, “plaintext” means printable ASCII characters. It does not refer to the clear text of a password.
I'm making a registration form, my only doubt is how to handle passwords (how to insert them into MySQL database). I don't have the slightest idea on how to do it, what type of column must Passwords be, whether I must encrypt them somehow, etc. Could you provide a basic example with explanation so that I manage to do it?
You don't want to store the password as-is in plaintext. You don't even want to be able to know what the password is. Therefore, you store a hash of the password in your database. When the user wants to log in, you hash the password he's trying to login with, then compare that to the hash in the database. Any serious password storage system furthermore salts the hash to prevent rainbow table attacks against the password (google that). Since this is a rather complex topic and you apparently have no experience with it at all, I recommend you use phpass to hash and salt your passwords without worrying about the implementation details. The phpass site also has some good introductory articles about the topic. Here's another one that keeps it really simple.
As for the database, that'll just be a normal VARCHAR field long enough to hold the hash.
Read this: http://codahale.com/how-to-safely-store-a-password/
Then do this: http://www.openwall.com/phpass/
You should not store password, password hash only.
Database type should be choose after you will choose hasfunction.
For md5/sha512 it will be char(32) if you will keep hex representation
Query is something like this:
"INSERT INTO users SET otherFields,pass_hash='".hashFunc($_POST['password']."';
where hashFunc generates hash ex
function hashFunc($pass){
$salt='something';
md5($salt . $pass);
}
The only way to safely secure a password is using a Moore's Law-defeating hash function. Use bcrypt!
One of the ways it can be done is by using md5. You convert the password to md5 and put it in the database (md5 encryption is one-way) when the user logs in again you convert the filled in password again and check if the converted password is somewhere to be found in your database (in combination with a username usually).
EDIT
You can make a string into an md5 string with this:
$converted_pass = md5($unconverted_pass);
However you will need to add a so called salt-key to the password before you encrypt it with md5. This is a set of letters/numbers etc. If you do this every time you will have the same result but it will be quite safe :)