I am using sha1 for my password security. I have stored password in this way in register.php
// secure password
$salt = openssl_random_pseudo_bytes(20);
$secured_password = sha1($password . $salt);
//Send it to mysql table
$result = $access->registerUser($username, $secured_password, $salt, $email, $fullname);
This all is working fine.
Problem is here:
In my login.php
$password = htmlentities($_POST["password"]);
$secure_password = $user["password"];
$salt = $user["salt"];
// 4.2 Check if entered passwords match with password from database
if ($secure_password == sha1($password . $salt)) {
//do something
} else {
//do something
}
I am always getting as password does not match.
where am I going wrong?
First is first. NEVER USE SHA OR MCRYPT TO STORE YOUR PASSWORD.
EDIT : The password_hash() function generates a long password hash, so make sure that your column in the mysql is a VARCHAR of 500 space
All these useless practises is the root reason why almost many websites get hacked. To tackle the situation, php did a lot of research and then at last came with the most secure function called the password_hash(). I am not more onto explaining about password_hash() here as there are already many documents on the internet.
You can always hash a password like this
<?php
$securePassword = password_hash($_POST['password'], PASSWORD_DEFAULT);
$query = $db->query('INSERT INTO users ......');
?>
And, to verify the password, you can simply use this function
<?php
$passwordHash = $query['password']; //Password from database
$userPassword = $_POST['password']; //Password from form
if(password_verify($userPassword, $passwordHash)) {
echo 'Password is correct, logged in!';
} else {
echo 'Password is wrong, try again';
}
?>
And, answer for your question.
PLEASE DON'T USE SHA OR MCRYPT OR BCRYPT. IF YOU WANNA GET YOUR WEBSITE HACKED, THEN CONTINUE. OR USE password_hash()
The reason you don't get the hash genereated each time because the openssl_random_pseudo_bytes() generates random numbers each time. So each time, during execution, the function returns different numbers and you get your sha result wrong and thus giving a FALSE alert.
PLEASE, AGAIN. I BEG YOU TO USE password_hash() FUNCTION
For more information on password_hash() and password_verify() :
http://php.net/manual/en/function.password-hash.php
http://php.net/manual/en/function.password-verify.php
Related
I realize this is not as secure as it could be, but I want to do it this way.
I have this code which generates the password from a user's entry ($password)...
$salt = mcrypt_create_iv(22, MCRYPT_DEV_URANDOM);
$new_password = md5($salt . $password);
$new_password = $salt . $new_password;
This is how I'm trying to check against the saved password:
$split_salt = substr($saved_password, 0, 22);
$incomplete_password = md5($split_salt . $current_password);
$hashed_password = $split_salt . $incomplete_password;
if ($saved_password != $hashed_password) {
$error = "error";
} else {
//Validated
}
As far as I can tell this should work. However, I'm getting the error instead of the validation. Does this have something to do with MCRYPT not producing exactly 22 characters?
I know this is not what you want to hear, but your scheme is so utterly unsafe and a good solution is so simple to implement, that you should reconsider:
// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_DEFAULT);
// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);
Your actual problem is the salt, mcrypt_create_iv() will return a binary string and it can very well contain \0 characters. So it is pure luck if your approach works or not.
My login form isn't recognising existing users. The passwords I have stored in the database are encrypted using PHP's crypt() function. When the user registers their password is also encrypted and inserted into the database.
As you can see in the code below it checks to see if the password entered below matches, but whenever I enter in a password that is stored in the database with the corresponding username it says that the user does not exist.
I'm new to PDO and this is my first time using it, normally if I just use MySQL it works fine, but for some reason this isn't, I have changed the code a bit yet it still does not work. Anyone know why/where/what I'm doing wrong with the code.
include "connect.php";
$username = $_POST['username'];
$password = $_POST['password'];
$sql = "SELECT * FROM users WHERE username=:username";
$statement = $db->prepare($sql);
$statement->bindValue(':username',$username,PDO::PARAM_STR);
if($statement->execute())
{
if($statement->rowCount() == 1)
{
$row = $statement->fetch(PDO::FETCH_ASSOC);
if(crypt($password, $row['username']) == $row['user_password'])
{
$username = $row['username'];
$email = $row['email'];
$_SESSION['username'] = $username;
$_SESSION['email'] = $email;
$_SESSION['logged_in'] = 1;
header("Location: index.php");
exit;
}
else
{
include "error_login.php";
}
}
else
{
include "error_login.php";
}
}
if(crypt($password, $row['username']) == $row['user_password'])
Should be
if(crypt($password) == $row['user_password'])
To verify a password with its stored hash-value, you need to know the salt and the algorithm that was used to generate the hash-value before. This salt can be extracted from the stored hash-value, because crypt() stores it as part of the resulting string.
if (crypt($password, $row['user_password']) === $row['user_password'])
PHP 5.5 will have it's own functions password_hash() and password_verify() ready, to simplify generating BCrypt hashes. I strongly recommend to use this excellent api, or it's compatibility pack for earlier PHP versions. The usage is very straightforward:
// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);
// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);
I'm trying to hash the password if you sign up on my website, but it doesn't work.
This is my code to hash the password upon signing up:
$escapedName = mysql_real_escape_string($_POST['user']);
$escapedPW = mysql_real_escape_string($_POST['password']);
$salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));
$hashedPW = hash('sha256', $escapedPW . $salt);
Then I just insert it in a database (the hashed password and the salt).
For example, when I hash Sas, with the following salt:
abac7ad23185ad19967f0d13e962197962782f0b7ec32d9889c27a93a9e800fa
This is the hashed password:
8ca5c5f31fafbf382533dbcbfc22b3635d776ec7770c7eac58d8ef9f1fa3613c
But when I try to hash the password on log in, with the exact same password and salt, this becomes the hashed pass:
6eb4b16444f18cee19db32bd29a39970e3019c5b1972a982ae4cb9a59642dffc
This is the code I use to login:
$escapedName = mysql_real_escape_string($_POST['user']);
$escapedPW = mysql_real_escape_string($_POST['password']);
$saltQuery = mysql_query("SELECT salt FROM members WHERE user='{$escapedName}'");
while($result = mysql_fetch_assoc($saltQuery)) {
$salt = $result['salt'];
}
$hashedPW = hash('sha256', $escapedPW . $salt);
$sql = mysql_query("SELECT * FROM members WHERE user='$escapedName' AND pass='$hashedPW'; ");
while ($res = mysql_fetch_assoc($query2)) {
$username = $res['user'];
$PW = $res['pass'];
}
I hope it's not too much code and I also hope you will understand my question.
Sorry I can't comment but something tells me that there is a length restriction on the salt column in your database.
Example: The salt field might only allow a 64 characters while the generated salt might be longer therefore when you save the salt it gets trimmed which ultimately changes the hashed password.
If that's the case, you might want to trim the salt before saving it.
I'd advise using PDO to make queries against your database.
Your inputs to the hash function must be different for some reason or other.
Add log output messages that print your inputs before you hash for both use cases (create user and login). Also be sure to put quotes around the inputs in your logging to show whitespace issues.
Compare the raw inputs as well as the output of the hash function in both cases, and there will be a difference somewhere. If there is no difference, and the output of the hash is the same, then there is a problem in your query that is looking up the user in the login case.
Whatever you're doing, it's insecure if you WANT the hashes to be the same! See http://php.net/crypt for proper password hashing.
All you need:
function check_password($password) {
...//get db password to compare
if (crypt($post_password, $db_results[0]['password']) == $db_results[0]['password']) {
return true;
} else { return false; }
}
I am having problem with bcrypt hash method and mysql. I'm using the Bcrypt class from this answer.
I am creating login script and checking, if password is
correct. I am comparing password from input and hashed
password from DB.
$username= $_POST['username']; //username from input
$pass= $_POST['pass']; //username from input
$query= mysql_query("SELECT pass FROM users WHERE username='$username'");
$row= mysql_fetch_row($query);
$row[0];// hashed password, I echo $row[0] and it shows correct hashed password
$bcrypt = new Bcrypt(15);
$isGood = $bcrypt->verify($pass, $row[0]);
if ($isGood){
echo "Authentication succeeded";
}
else {
echo"Authentication failed";
}
Even $pass is correct, I always get 'Authentication failed'.
Any ideas, what can be wrong?
Thank you in advance.
The pass column in your users table is not wide enough to store the complete hash; it should be at least 60 characters wide, i.e. VARCHAR(60).
Btw, you should check out PasswordLib as well, written and maintained by ircmaxell, which also supports Bcrypt quite well.
Try something like this:
$bcrypt = new Bcrypt(15);
$hash = $bcrypt->hash($pass);
echo $hash.' =? '.$row[0];
And look if it's equal
if yes, try something like this:
var_dump($hash);
var_dump($row[0]);
Must be equal
Hey guy's i'm trying to make a login system which uses MD5 encryption for the password. I have the encrypting to work and all it's just for some reason when i enter the password "palmer" into the login page and click the login button i made it send me to a page where it tells me encrypted password and using "palmer" as the password it outputs this "Duncan Logged in using password 4844fd4088ef5278ad18f892808ebda8 - palmer". THe password in the database when encrypted is "4669a6b46c8d891b373cfcd664dff6". Why are the two passwords different? I am using the same Salt(the salt is "a123b123".
Below is my code which encrypts password on register:
$password = $_POST['password'];
$md5pass = md5($salt.md5($password));
Below is my login code.
<?php
session_start();
include('config/config.php');
$email = $_POST['email'];
$password = $_POST['password'];
$pass2 = md5($salt.md5($password));
$check = mysql_query("SELECT `email`,`password` FROM user WHERE (`email`='$email' AND `password`='$pass2')") or die(mysql_error());
$count = mysql_num_rows($check);
//if($count == 1) {
$_SESSION['user'] = strtoupper($user);
//header('Location: /panel/index.php');
echo("Duncan Logged in using password $pass2 - $pass");
//} else {
//$_SESSION['errormsg'] = "<div id='error'><strong>Error:</strong> Invalid Username or Password!</div>";
//header('Location: index.php');
//}
?>
you have to store your salt – and please, use a random salt, this way two users with the same password will get a different digest! – somewhere for later use:
$salt = sha1(getRandomSalt());
$digest = sha1($password.$salt).'$'.$salt; // use sha1 instead of md5
later you can check the provided password with the same salt:
list($stored_pw, $stored_salt) = explode('$', $stored_digest);
if($stored_pw == sha1($user_provided_pw.$stored_salt)) {
echo 'user provided correct password';
}
You should really use bcrypt for this. There is more on bcrypt on previous Stack Overflow post How do you use bcrypt for hashing passwords in PHP?
bcrypt is considered the most secure way to implement password hashing with salt because it is slow - much slower than an MD5.
Just a little comment to knittl's solution from above:
You need to replace the line
if($stored_pw = sha1($user_provided_pw.$stored_salt)) {
by
if($stored_pw == sha1($user_provided_pw.$stored_salt)) {
to get it working.
(I tried to add it to knittl's post, but it says edits need to be at least 6 characters long)