I plan to migrate a system developed with PHP Laravel that hashed users password with bcrypt, so just wanted to know is there anyway to convert them somehow in order to make new NodeJS system (with bcrypt) to reuse the current password fields? or the only way forward is to ask user to reset passwords?
Are you asking if the hashed password data (stored on the server, for example) can be used in another bcrypt implementation in node, or something else?
Using modules in node should work with the existing password data (as someone already suggested), but remember to use the same exact salting method and options as the previous bcrypt implementation in PHP, obviously, so that bcrypt generates the same data as before. As long as all options and input into bcrypt are the same, the bcrypt implementation in node should produce the same results and be able to be used.
Using the bcrypt or bcryptjs modules in node with the existing passwords should work just fine.
Related
Use SHA512 as encryption in Multicraft panel (which you can change the settings for MD5), but I need to use an older version of the same database. This old version did not have the option to encrypt with SHA512, but only with MD5. Thus, all passwords are invalid with MD5.
It's possible convert all SHA512 passwords in MySQL database to MD5?
SHA512 and MD5 are hashes, not encryption algorithms. By design, they are not reversible.
The only way to convert these values is to wait for each user to log in, validate their password against the existing SHA512 hash, and rehash¹ their input with MD5. This is the reverse of how password hashes are updated to more secure standards.
But please, please, don't do this. MD5 is hopelessly broken. You would be doing your users a huge disservice to revert from SHA512 to MD5. Find a way to use the newer version of your software.
¹As noted by zaph in a comment, "rehashing" is an oversimplification, and depending on how your panel is actually implemented it might be using insecure password storage today.
To provide reasonable security each password must also have a unique random salt (which protects against things like rainbow tables) and each hash must be iterated enough times to make brute forcing impractical. As computers get more powerful the number of iterations must be increased. Today it is common to iterate tens or hundreds of thousands of times.
Cryptography is shockingly difficult to get right. Instead of trying to follow all the best practices manually, use libraries and functions that operate at the right level of abstraction and have been audited for security. An algorithm like bcrypt (via PHP's built-in password_hash function, where it is currently the default algorithm) would be a good choice.
Short answer: No.
Long answer:
By design, both MD5 and SHA512 are one-way hashes. In order to convert SHA512 to MD5, you would need to know both the original password for every password your are trying to convert, and also the salt that was used to encrypt them. You almost certainly wouldn't know every password for every one of your users.
One-way hashes work by actually casting the same algorithm every time a user logs in. The user types in their password, the algorithm is applied to it, and if it perfectly matches the copy in the database that has already been hashed, then the user is logged in. You can't use any sort of algorithm to work out what the original password was, only to compare if the output of applying a specific password would be to a password that is already encrypted.
MD5 is also a far weaker hashing algorithm than SHA512. Converting to MD5 would make your password far less secure, and this would be something that you probably wouldn't want to do. Instead, you should be looking at a way to incorporate the new database system.
As everyone know that Drupal store password using SHA2 method which involves Encryption + Hashing + Salt on it.
I have a list of passwords which are currently used by some of my clients in Drupal. Since we have migrated the whole system to Custom PHP therefore we are unable to use the same passwords. And we really don't want to ask everyone in the database to generate a new passwords.
If there is any way, where we could change all the passwords which are in SHA2 (Drupal - 512 Encryption) to support our new system which is currently having MD5/SHA1 (PHP Mysql database).
Any help would be appreciated.
You really do not want to go to MD5. It's dead as far as a password hashing method goes. You should be moving to password_hash and something like Bcrypt at the absolute minimum.
Remember, when someone logs in and you verify their password is correct that's your chance to update how the password is hashed in the database. If they're using a weak method, switch to a strong one and save their user record. Nobody will know what you've done.
After a year or so you can always force-expire all the old-format passwords if you're concerned about that lingering liability. All of your active users will be unaffected.
I wouldn't suggest changing to another password format and especially not MD5. Since you already have the passwords you can implement the Drupal password hashing in your own application and just continue using the existing passwords.
More information about the password formats can be found for example in this question.
I think you should use a 'transition'. For example use your new system but let the old password in the database.
In your code, on user login you get the password (ex: $_POST['pwd']), and crypt it using a strong algorithm (not MD5). Then, you can insert it in a new field of your database.
So, your new database could have a field 'old_pwd' that contains the old password and a field 'pwd' that contains the new password using your new algorithm. According to me this is the easiest to do this migration.
Password checking code is pretty similar in Drupal 7 and 8 and easy to borrow, it does not have any strong dependency on Drupal component. It should be pretty easy to add support for Drupal's hashes to your password checking code. Allowing use to authenticate using their password by storing Drupal's hashes in your database.
To migrate to your new hashing algorithm, simply re-hash passwords on successful authentication. This way, old hashes will be replaced over time.
Drupal has a similar mechanism to ensure transparent updates or old MD5 hashes. Look at the user_check_password() and user_needs_new_hash() to see how it could be done.
I am using Laravel's Hashing functionality to store encrypted passwords in the table.
I know that I can use Hash::check function to check if a plain password matches the encrypted password, But is there a way to retrieve all users from the database that have a given password without actually getting all users and then comparing each one's password using the Hash::check function?
Edit:
The usecase is that I want to know how many users use a given password.
Not without fetching all users and checking each individually. Laravel's password hashing uses bcrypt (as does PHP's native password_hash / password_verify), which is specifically engineered to make this sort of thing difficult to do (for security / protection) - it uses a different salt every time so no two hashes are the same even if the passwords are identical.
I don't know if there's such function in Laravel's hashing but seems unlikely because hashes, by definition, doesn't have 1-1 relation with the plain password.
I mean, multiple passwords can have the same hash, and if it Laravel Hashing uses salt (wich is likely because is a basic security pattern), the same password doesn't even have the same hash for all users.
It's unlikely to have such functionality, but in case it has, you can be sure that, under the hoods, it will do exactly the same that you have said: loop the users and use Hash::check on each one. Because hashing is intentionally designed in order that's the only way to do that.
I've been hired to rebuild a actively used application that was built on CodeIgniter 1.7.3 (on a PHP 4.2 server) using Laravel 4 on a new PHP 5.3 server.
The system has about ~500 users whose passwords are encrypted with a salted SHA-1 hash. I'd like to use bcrypt to increase the application's security as well as to integrate with Laravel 4's authentication system.
How would you suggest migrating these users passwords?
The whole point of a hash is that you can't recover the original password.
You have three options:
Store bcrypt hashes of the SHA1 hashes, then SHA1 hash each password before bcrypting it on every login.
This may not be a good idea.
Upgrade each hash next time that user logs in. (so that you have the plain text to hash)
This is the best option, but you need to keep your SHA1 hashes and transition code until every single user logs in
Reset every user to a random bcrypted password and force them all to use Forgot Password to change it back.
You probably don't want to do this
Add a column to your database that tells the system which hashing algorithm has been used
On login, check the credentials as normal
If they're using the old one and login is successful - bcrypt the password they entered and update their password and algorithm in the database.
You could create a random password for each user and send out a notification email to everyone with their new password. But this will result in confusion if a user doesn't see the email.
I recommend that you add another db field for the bcrypt value and then create an entry when a user logs in for the first time after the change. You can use either a separate field or delete the old hash to keep track.
When your active users have migrated, feel free to use the random password approach for the rest of your userbase to finish the migration.
I was looking about best practice for password protect, everybody are talking about bcrypt and others hashing classes. But I can't get how To verify password if it contains unique random salt .
For cookies its fine, but without em - each time would be unique crypted value, how can I verify users password with random values? Oo . Or bcrypt only for cookies?
Then what I should do with password in db?
Please describe to me my mistakes - what I've lost when learning about it.
The bcrypt algorithm creates a random salt that is stored as part of the hash in a standardised way.
See How do you use bcrypt for hashing passwords in PHP? for a working example.
See also:
Secure hash and salt for PHP passwords
(edited heavily since my answer was wrong before)
There will be a group of function in the next php version, for details see the accepted RFC.
Anthony, the author of the RFC and the patch was kind enough to provide a compatibility library written in php so you can start using this new functionality now!
Behind the scenes it uses crypt with the strongest algorythm currently known.