I have successfully hashed the password users register on my website and by using password verify function, I can check their original password against the hashed one and allow them to login. but on their my account page, i want them to see their original password but it shows the hashed password in their my account page. is there a function that would convert the hashed password to its original on the my account page?
I have successfully hashed the password users register on my website and by using password verify function
Good, Then you ask
I want them to see their original password but it shows the hashed password in their my account page. is there a function that would convert the hashed password to its original on the my account page?
No you can't do that or it kills the whole purpose of hashing.
so in another words, users cannot update their password right? because I have a update info page too
To be able to update their password they don't need to see it, they just need to know it.
Hashed passwords cannot be retrieved in general (this depends on the hashing function, secure hashes cannot be retrieved). If they have the same hash on two sites, they could have the same password, this depends on the hash salt used by the sites, what method etc.
There is no way to get the hashed password. If you wish the user to update the password with confirming the old password, get the old password as an input entry along with the new password and compare the hash value of that with the value stored in the database. If the hash value of the old password is same as that in the database, then allow the user to update the password. Else alert that the old password is wrong
md5 and sha1 are one way, probably one of them you are using (just a guess). If you need two way, you can simply use mcrypt_encrypt and mcrypt_decrypt.
But, I would not suggest you to show passwords to user:-
For Change Password: you can simply ask user for their old password and new password, encrypt it and do match with encrypted password in stored database, if they do match, update new encrypted password in the database for the respective user.
For Forgot Password: You can generate a token, for that particular user and send it with the link (Reset Password) as parameter to their desired email address, and when they use that link, you will get the token to verify and store new encrypted password in your database.
If you want to see passwords with admin panel, you don't need to hashed password. Simply you encypt the password using openssl_encypt() function and then for see the password you can use openssl_decypt() function..
//You can use the following code...
<?php
// Store a string into the variable which
// need to be Encrypted
$simple_string = "Welcome to Sidedevelopers";
// Display the original string
echo "Original String: " . $simple_string . "\n";
// Store cipher method
$ciphering = "BF-CBC";
// Use OpenSSl encryption method
$iv_length = openssl_cipher_iv_length($ciphering);
$options = 0;
// Use random_bytes() function which gives
// randomly 16 digit values
$encryption_iv = random_bytes($iv_length);
// Alternatively, we can use any 16 digit
// characters or numeric for iv
$encryption_key = openssl_digest(php_uname(), 'MD5', TRUE);
// Encryption of string process starts
$encryption = openssl_encrypt($simple_string, $ciphering,
$encryption_key, $options, $encryption_iv);
// Display the encrypted string
echo "Encrypted String: " . $encryption . "\n";
// Decryption of string process starts
// Used random_bytes() which gives randomly
// 16 digit values
$decryption_iv = random_bytes($iv_length);
// Store the decryption key
$decryption_key = openssl_digest(php_uname(), 'MD5', TRUE);
// Descrypt the string
$decryption = openssl_decrypt ($encryption, $ciphering,
$decryption_key, $options, $encryption_iv);
// Display the decrypted string
echo "Decrypted String: " . $decryption;
?>
Output:
Original String: Welcome to Sidedevelopers
Encrypted String: hwB1K5NkfcIzkLTWQeQfHLNg5FlyX3PNUA==
Decrypted String: Welcome to Sidedevelopers
Related
I hashing my password using below method in PHP
$password=hash('sha256','123');
Now i want to decode it, how it is possible? I doesn't use any key or salt.
<?php
$password=hash('sha256','123');
echo $password;
$decdoe=base64_decode($password);
echo $decdoe;
?>
base64_decoding means decrypting a file using base64 algorithm. This is called encrypting.
Hashing is a different case. when hashing what you hash cannot be recreated.
so the purpose of hashing is to check the integrity of a file in this case the password.
that means if u hash a password at the registration u will save the hashed part in the password field as password.
Now when you re check it you need to check by hashing the user input password again with the value in your database. So
using this code below
$hashed_password = password_hash($password, PASSWORD_DEFAULT);
// hash a password and store it into database
if(password_verify($password, $hashed_password)){ // here $password means user input when loggin $hashed_password is the hash from the database relevant to trying loggin
}else{
//throw error msg
}
I have this code:
$password = vancab123;
password_hash(base64_encode( hash('sha512',$password, true) ), PASSWORD_DEFAULT );
Database stored value:
$password = $2y$10$jUa8ZEFBX5lfsBmySUnJFeSSyKwQ1v/emazJZPh8MwJ0g0lLbmjYC;
My Problem:
I used that on "remember me" function. If the user used that function his/her credentials (email and password) will be saved for 7 days using cookie.
My problem is because the email and password will automatically fill up the email and password text boxes, the password text box characters is too long because it was hashed.
How can I match the length of the hashed password to the original/unhashed password?
And you dont need to jump through all those hoops to use password_hash and this is how to check that an entered password matches the previously hashed password
The point of a HASH is it cannot (within a sensable time frame) be converted back to its original value. Instead you have to compare it using password_verify() to the unhashed value the user enters when they return and attempt to login using the same password.
$password = 'vancab123';
$hashed_pwd = password_hash($password);
// test the hashed password
if ( password_verify($password, $hashed_pwd) ) {
//password entered is OK
} else {
//password entered is WRONG
}
ADDITION after you clarified your question:
Read this for a Remember me functionality What is the best way to implement "remember me" for a website?
A hash is a one way transformation of an arbitrary value. They are by nature irreversible. In your case you will have to hash the password provided by the user, retrieve the value from the db, and do the comparison of both hashed values.
The only alternative would be the paradigm behind a rainbow attack, in which you hash every conceivable possibility and store them as key value pairs, but that is a lot of data.
Somebody should pls guide me on how i can fetch out hashed password from database and match the password entered by a user when login in
i used php crypt() function with bcrypt algorithms to hash the password when registrian the user
thank you all in advance
From the documentation:
$hashed_password = crypt('mypassword'); // let the salt be automatically generated
if (crypt($user_input, $hashed_password) == $hashed_password) {
echo "Password verified!";
}
You need to pass in the original hash, otherwise crypt will generate a random salt and the passwords are very unlikely to match. I.e.
//BROKEN - will almost always print "Bugger off!".
$hash = crypt('Hello world');
$attempt = crypt('Hello world');
if($hash === $attempt){
echo "Access granted!";
}else{
echo "Bugger off!";
}
You don't need to "fetch" the hash from the database, you just hash the given password (from a login attempt I assume) and match THAT hash against the password column of a database. if a match is found where the password column matches the hash that you just made AND the username is a match, then the password is valid.
Thank you all, if i really get your explanations you mean i should hash the coming password from a user attempting to login and then compare the hash value with the one in DB
EXAMple
$salt=//the bcrypt algorithms format, cost parameter and the salt goes here, thesame with the one use when registrian
$coming_pass= crypt( $password, $salt)
mysqli_query ( SELECT from user WHERE username= $username AND
password= $coming_pass)
you just send the unencrypted password into the same crypt process as you did with the encrypted password, then they should match.
PHP has built in Options to do that, look at Creating a Hash, and Verifying a Hash
pseudo-code
hashed password = hp
plain text password = p
seed (Random Number generated by server) = s
hash algorithm (md5, sha1, sha256, ...) = hash
Example with Seeded Hash
hp = hash(p + s)
the order you set the seed is not important, as long you do it the same way every time, by Concatenate the password and seed
Example without Seeded Hash
hp = hash(p)
you will need to save the hp and seed, the p should NEVER be saved by the server, as Plain Text Passwords is a security issue.
C# Code Example:
static public bool IsPasswordCorrect(string hp, string seed, string enteredPasword)
{
return (hp == Sha1(String.Concat(enteredPasword, seed)));
}
this way you have no direct way to get the password from the database, and only the actual Client will have the Plaintext Password.
if you want a 2-way encryption algorithm, you will need to look at RSA, but it is way more complicated and requires a lot of knowledge to make secure.
This question already has an answer here:
How to check a mysql encrypt value with a salt in PHP?
(1 answer)
Closed 9 years ago.
I would like to encrypt some passwords and put it in database. How do I keep this stuff in a database so I can retrieve the data if the owner matches.
Example
<?php
// some validations and other staff
$data = $_POST['input'];
$hash = crypt($data);
//then database insert code
?>
If I echo the $hash, it's giving me some encrypted data but when I refresh the page, the numbers are changing from time to time. How do I keep the data static? How will I tell the encrypted password that this was the owner when username and password entered.
Example
<?php
//time of encryption
$name = "someone";
$pass = "p1x6Fui0p>j";
$hash = "$pass"; //outcome of $hash e.g. $1$aD2.bo0.$S93XNfgOFLskhis0qjE.Q/
// $hash and $name inserted in database
?>
When the user tries to login with collect details, how will I refer $hash "$1$aD2.bo0.$S93XNfgOFLskhis0qjE.Q/" was equal to $pass "p1x6Fui0p>j" ?
crypt() has an unfortunate name. It's not an encryption function, but a one-way hashing function.
If you're using PHP 5.5+, just use password_hash and password_verify:
$hash = password_hash($data, PASSWORD_BCRYPT); // Bcrypt is slow, which is good
And to verify the entered password:
if (password_verify($pass, $hash)) {
// The password is correct
}
Now to answer your actual question: the purpose of password hashing is to authenticate users without actually storing their plaintext passwords. If hash(a) == hash(b), then you can be pretty sure that a == b. In your case, you already have hash(a) ($hash), so you just need to hash the inputted password and compare the resulting hashes.
crypt() does this for you:
if (crypt($pass, $hash) === $hash) {
// The password is correct
}
From the php crypt page
if (crypt($user_input, $hashed_password) == $hashed_password) {
echo "Password verified!";
}
You are not using your own salt, so for every call salt is automatically generated, and salted password is hashed. To get the same hash from this password, you need to run crypt with exact salt that was generated during first run.
Generated salt varies depending on algorithm used for hashing, but from your example it's MD5, and salt is delimited by first and third dollar sign inclusively:
$hash = '$1$aD2.bo0.$S93XNfgOFLskhis0qjE.Q/';
// \ salt /
So to get Exact same hash you need to call crypt($pass, '$1$aD2.bo0.$');
Remember that if you want to use your own salt, it needs to be in proper format for given algorithm. For best results use php 5.5+ password_hash mentioned by #Blender, and for older php versions there is password_compat library, with this you don't have to worry about proper salt format.
i just get one function from this site which describe that how to generate secure password using hash.
function is bellow
function hash_password($password, $nonce) {
global $site_key;
return hash_hmac('sha512', $password . $nonce, $site_key);
}
i am using this function like
$salt = sha1(rand());
$salt = substr($salt, 0, 4);
$site_key="site.com";
$pass=hash_password($pass,$salt);
it generate random text on each time.
but i am unable to verify that password in database, as in database password is stored and this generate random text every time.
i want to know how can i use this function to
Store Password in Database at time of user creation
Verify Password from database at login
or
is there any other secure way?
Thanks
You need to store the random string ($nonce I presume) in your database as part of the data, together with the resulting hash. Otherwise, you simply don't have enough information to validate the password.
Store the random generated string along with the password into user's row on the db or hardcode the salt and use always the same salt instead of changing it everytime.
If you generate a new salt then the hash will change everytime you calculate it (and since it is a random value you cannot get it back...).
By the way, why not a simple MD5?
$pass = md5( $pass.$site_key );
Edit: please don't do that (the md5 thing I mean)! Mine here is an old and wrong suggestion. Find an updated resource online and choose a secure algorithm if you need to store passwords (php now also has password hashing and verifying functions that should be secure, https://www.php.net/manual/en/function.password-hash.php, check in the comments for further suggestions).