public function beforeSave(){
$salt = "Acrec_$";
$hashed = hash('sha512', $salt . $this->password);
$this->password = $hashed;
}
I'm using a custom Salt and custom hash to encrypt the users password, but, now i need to log-in the users.
the Code inside loginAction();
$this->auth->check([
'email' => $this->request->getPost('email'),
'password' => $this->request->getPost('password'),
'remember' => $this->request->getPost('remember')
]);
In phalcon just use:
$password = $this->request->getPost('password');
$user->password = $this->security->hash($password);
And
$password = $this->request->getPost('password');
$user = Users::findFirst();
if ($this->security->checkHash($password, $user->password)) {
// any logic here
}
By default it's using bcrypt which has salts built-in.
With PHP use password_hash and password_verify, the pair are secure and easy to use.
When saving a password verifier just using a hash function is not sufficient and just adding a salt does little to improve the security. Instead iterate over an HMAC with a random salt for about a 100ms duration and save the salt with the hash. Better yet use a function such as PBKDF2, Rfc2898DeriveBytes, password_hash, Bcrypt, passlib.hash or similar functions. The point is to make the attacker spend a substantial of time finding passwords by brute force.
Related
I'm trying to use Yii's generatePasswordHash() function, but I get a different hash with the same password, every time.
$this->password = Yii::$app->getSecurity()->generatePasswordHash($this->password);
Here 3 hashes created with the password "test":
$2y$13$wsvC4i8YMwKKHJ2K5iYRG.Z0KBetOh3BctVpJN5pVkXGOcW85hRkO ,
$2y$13$QfV2Qxlj4F5gUh1wIL2WUewoZ55CKYKevjRmRqrenxq8L5ym5xX9. ,
$2y$13$rDArvLa8hnpDGiiDdCs7be4iTsr2T3XMXmnapynuD1i1ekbz8zF4m
Anyone an idea what's happening?
EDIT:
When I try to verify with:
Yii::$app->getSecurity()->validatePassword($password, $this->password)
it returns false.
EDIT#2:
function looks like this:
public function validatePassword($password)
{
return Yii::$app->getSecurity()->validatePassword($password, $this->password);
}
$password is the input password and $this->password is the hash.
Strangely password_verify($password, $this->password) works, but Yii's verifier doesn't.
All hashes are correct. Because hash algorithms make different hashes for the same password. Where does the password variable come from in your code? It should be a password string not a hash.
$hash = "hashed version";
$password = "string password";
if (Yii::$app->getSecurity()->validatePassword($password, $hash)){
// password correct
}
Adding to efendi's answer.
Getting a different hash each time Yii's generatePasswordHash() function is run is normal behavour.
Validating the password against the hash requires the 'salt' from the 'hash'.
The first 22 characters after '$2y$13$' in the hash is the salt.
The validatePassword($password, $hash) function gets the salt from the hash, hashes the $password using the salt which should get the same hash as the $hash if the password were to be correct.
I have problem with password hashing. This is my controller
public function registerUser() {
$valid = Validator::make(Input::all(), array(
'pass' => 'required|min:5',
'pass2' => 'required|same:pass'
));
if($valid->fails()) {
return Redirect::route('register')->withErrors($valid)->withInput();
}
// $password = Input::get('pass');
if(Input::hasFile('photo')) {
$img = Input::file('photo');
if($img->isValid()) {
echo Hash::make(Input::get('pass'));
}else{
return Redirect::route('register')->withInput()->with('errorimg','image-error');
}
}else{
echo Hash::make(Input::get('pass'));
}
//return Redirect::route('register')->with('success','register-success');
}
Everytime I refresh my browser, the hashed pass is always change.
ex : if I put "qwerty" as pass, it should show
$2y$10$PPgHGUmdHFl.fgF39.thDe7qbLxct5sZkJCH9mHNx1yivMTq8P/zi
Generating a different hash every time is on purpose, because the Hash::make() method will generate a random salt. A random salt is necessary to securely protect the user's passwords.
To check an entered password against the stored hash, you can use the method Hash::check(), it will extract the used salt from the hash-value and uses it to generate comparable hashes.
// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = Hash::make($password);
// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = Hash::check($password, $existingHashFromDb);
That's because if you don't give a salt bcrypt creates one every time it hashes something.
Source
For Login :
$rows = $sql->fetch(PDO::FETCH_ASSOC);
$us_id = $rows['id'];
$us_pass = $rows['password'];
$us_salt = $rows['password_salt'];
$status = $rows['attempt'];
$saltedPass = hash('sha256', "{$password}{$this->passwordSalt}{$us_salt}");
For Register :
$randomSalt = $this->rand_string(20);
$saltedPass = hash('sha256', "{$password}{$this->passwordSalt}{$randomSalt}");
How can this sha256 encryption method be converted to bcrypt?
Password Hashing Using bcrypt
If you are using PHP 5.5 or later, you can use the built-in password_hash() function with the $algo parameter set to PASSWORD_BCRYPT to create bcrypt hashes. You can use this as so:
$options = array('cost' => 11, 'salt' => 'my_salt');
$hash = password_hash("my_secret_password", PASSWORD_BCRYPT, $options);
Migration
It's not possible to do a bulk migration from sha256 to bcrypt because you need the original plaintext data (password) which isn't available.
Typically, sites do a staged conversion where you convert users as they perform successful logins. For example:
create a field in your database for password has type, sha256 or bcrypt
upon login, verify the password using the type in the database
if sha256 and successful, create a new bcrypt entry using the entered password, store that and update the password type to bcrypt. On the next login, bcrypt will now be used for verification.
i'm sorry for the bad use of English... I'm having a problem with making a function that hashes my password with a salt(first time using a salt).
The problem is that I don't know how to really return the salted/hashed password from the function.
My code:
# Password hashing with a salt.
function hashing($stringPassword)
{
// Making a random uniq code as salt.
$salt = uniqid(mt_rand(), true);
$HASH512 = hash('SHA512', $stringPassword);
$hashPassword = $salt.$HASH512;
return $stringPassword;
}
And how I tried to test it:
<?php
$stringPassword = '482301';
hashing($stringPassword);
echo $hashPassword;
?>
Thank you for helping!
Your code is backwards. The salt has to be part of the password BEFORE you hash it. and then you need to return the hashed password AND the salt, so that you can do proper comparisons later.
function hashing($cleartext) {
$salt = uniqid(mt_rand(), true);
$hash512 = hash('SHA512', $salt . $cleartext);
return(array('hash' => $hash512, 'salt' => $salt));
}
$foo = hashing('letmein');
echo "Salt is: $foo[salt]";
Since you are hashing passwords, you should be aware that the SHA* algorithms are not appropriate to hash passwords. They are much too fast, instead you need a function with a cost factor like BCrypt or PBKDF2 where you can control the necessary time for the calculation.
PHP offers a dedicated function password_hash() to generate BCrypt hashes, for earlier PHP versions you can use the compatibility pack:
// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);
// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);
I just discovered that my password-protected area is not that protected. Passwords are required to use digits. Now, if the password has the digits at the end, somehow the login is accepted as long as the a-z part of the password is correct. Why is that and how can I correct that? (PHP 5.4.28)
function generate_hash($password)
{
$salt = openssl_random_pseudo_bytes(22);
$salt = '$2a$%13$' . strtr($salt, array('_' => '.', '~' => '/'));
return crypt($password, $salt);
}
$bind = array(":email" => $email, ":password" => crypt($password, generate_hash($password) ) );
$results = $db->select("users", 'email=:email AND password=:password', $bind);
I don't know about the specifics of your problem, but you're using the hash completely wrong. To use crypt, you do the following:
On registration:
create a random salt
create the $salt argument in a proper format: $2a$xx$... (note: no %, that may contribute to the problem)
hash the password with crypt($password, $salt)
store the hash in the database
On login:
retrieve the password hash from the database based on the entered email
generate a hash using crypt($enteredPassword, $databaseHash)
compare the two hashes
You're not doing that at all. You should probably also use password_hash instead, which takes care of a lot of pitfalls in the usage of the raw crypt API.