Codeigniter password matches not working with md5 - php

When I use the following code in a validation form the password matches do not match the two passwords even when the two passwords are same.
$this->form_validation->set_rules('password','Password','required|md5|trim|xss_clean|matches[rpassword]');
$this->form_validation->set_rules('rpassword','Repeat Password','required|md5|trim|xss_clean');
But when I remove the md5 function then the password matches is working properly.
Can someone understand why this happens?

When you do matches[rpassword], it's looking at the current value of password after the md5 but rpassword before the md5.
Switch it to this so that it does the match validation BEFORE converting to md5:
$this->form_validation->set_rules('password','Password','required|matches[rpassword]|md5|trim|xss_clean');
$this->form_validation->set_rules('rpassword','Repeat Password','required|md5|trim|xss_clean');
Also, if this is an application where security truly matters - please know that md5 is very easy to crack and that if someone is able to ever get into your database that they will be able to hack all of these passwords. So basically using md5 is almost the equivalent to not encrypting in the first place.
For password storage, use CRYPT_BLOWFISH or PHP 5.5's password_hash() function. For PHP < 5.5 use the password_hash() compatibility pack.

This is happening because the operation do comparation of "matches[rpassword]" it is before of variable "rpassword" be found, see below:
Your code:
$this->form_validation->set_rules('password','Password','required|md5|trim|xss_clean|matches[rpassword]');
$this->form_validation->set_rules('rpassword','Repeat Password','required|md5|trim|xss_clean');
Updated and working:
$this->form_validation->set_rules('password','Password','required|md5|trim|xss_clean');
$this->form_validation->set_rules('rpassword','Repeat Password','required|md5|trim|xss_clean|matches[password]');

Related

How to store a password as BCRYPT in a database as '$2a$15' in PHP

I am wondering on how to store passwords as BCRYPT that starts with $2a$15, because I have already setup my register and it already stores the passwords in BCRYPT.
However, when it stores the passwords as BCRYPT, the output is $2y$15, but I want it as $2a$15. I am new to BCRYPT and I find it quite hard to understand.
Anyway, here is my BCRYPT code:
function encryptedPassword($strPassword) {
$strSHA256 = hash('sha256', $strPassword);
$strBcrypt = password_hash($strSHA256, PASSWORD_BCRYPT, array('cost' => 15, 'salt' => bin2hex(openssl_random_pseudo_bytes(12))));
return $strBcrypt;
}
So, say if my password is Hello123!. The output of that would be:
$2y$15$aa979703a103b0a45b2afO0KS15RjWu5Lc8sa4.xQlsw9QLtyhp/O
and I want it to be:
$2a$15$aa979703a103b0a45b2afO0KS15RjWu5Lc8sa4.xQlsw9QLtyhp/O
I don't know if this is to do with the salt, can someone help me?
From PHP manual:
PASSWORD_BCRYPT - Use the CRYPT_BLOWFISH algorithm to create the hash.
This will produce a standard crypt() compatible hash using the "$2y$"
identifier. The result will always be a 60 character string, or FALSE
on failure.
So using BCRYPT will always produce $2y$. By the way, the begining part of the hash is just an identifier, used for testing the password afterwards with password_verify. Just like the $15$ in your case being the cost of the hashing algorithm...
I suggest you read more on PHP password hashing. There is absolutely no sane reason why you'd want a hash to absolutely start with X or Y...
The PHP folks have put great efforts on giving you secure password hashing functions. You should really try using them without hacking stuff around it. hashing a hash is no safer than just hashing once. The salt option is deprecated in PHP7, I'd suggest you get rid of it, PHP can handle it better than you.

I can't compare password from my database and the one inputted

I am using php crypt function to make a password secure, but when I try and compare a password entered to a one in the database it will not work.
here is my code to create the password in the first place:
$crypt_password = crypt($_POST['confirm-password']);
here is me trying to compare to the password in another function:
$input_crypt_password = crypt($_POST['input-pw']);
if ($input_crypt_password == $dbpassword){
// do change password function
}
This is not working.
when i print both passwords the are different.
why are the passwords different even though I am entering the same password and using crypt function on both?
can anyone point me in the right direction?
From the docs
Example #1 crypt() examples
<?php
$hashed_password = crypt('mypassword'); // let the salt be automatically generated
/* You should pass the entire results of crypt() as the salt for comparing a
password, to avoid problems when different hashing algorithms are used. (As
it says above, standard DES-based password hashing uses a 2-character salt,
but MD5-based hashing uses 12.) */
if (hash_equals($hashed_password, crypt($user_input, $hashed_password))) {
echo "Password verified!";
}
?>
The code in the question will effectively generate a new hash every time it's called - the existing password hash needs to be passed as the salt to get a consistent result.
As also mentioned in the docs:
Use of password_hash() is encouraged.
I'd go further and say you definitely should be using password_hash instead of calling crypt for password usage (assuming php >= 5.5); in any case though for whichever whatever tools/methods you're using - please read the docs to know how to use them.
Don't use crypt directly for passwords.
If you have PHP 5.5+, than use the built in password_hash function, otherwise if you have PHP 5.3.7+ use the polyfill for this function.
Try to something like this.
$crypt_password = crypt($_POST['confirm-password'],salt);
$input_crypt_password = crypt($_POST['input-pw'],salt);
if ($input_crypt_password == $dbpassword){
// do change password function
echo "Password match successfully!";
}
Here salt parameter to base the hashing on. If not provided, the behaviour is defined by the algorithm implementation and can lead to unexpected results.
I don't know what to say that will add more detail than what everyone else has already said...
So, in modern day hash/unhashing algorithms it would be unsafe to store passwords using standard hashing functions (e.g. MD5 / SHA256) as it is quick and easy to unhash this type of entry.
password_hash() as referenced in other answers and comments should be you're #1 way to safely store passwords as it uses a one way hashing algorithm.
You should read this page!
And then in response to your original question, use hash_equals() function to compare passwords.
As many guys here said, you should use password_hash php function.
Here you can see a simple example how to use it:
<?php
$password = '123456';
$userInput = '123456';
$storedHash = password_hash($password, PASSWORD_DEFAULT);
if (password_verify($userInput, $storedHash)) {
echo 'OK';
} else {
echo 'ERROR';
}
Also as mentioned before, if you use older version of PHP, you can install polyfill.
Did you trim the input before saving in db and while making the comparison. Since the input is coming from browser this may be a reason why it is not matching. otherwise this https://stackoverflow.com/a/41141338/1748066 seems appropriate.

Compare hashed password to validate if passwords are matched

I use blowfish method to hash the passwords from the user when they're signing up.
In the signup form, there is "Enter Password" box and "Confirm Password" box.
So, to check if the passwords are matched, I used hashed versions to compare. But then, it doesn't seem to match.
Please see the code below...
get values from the super global variables and hash them.
$hashed_password = password_encrypt($_POST['password']);
$conf_hashed_password = password_encrypt($_POST['conf_password']);
call the function
passwords_match_check($hashed_password, $conf_hashed_password);
Defined function
function passwords_match_check($hashed_pw, $conf_hashed_pw){
global $errors;
if($conf_hashed_pw != $hashed_pw){
$errors['pws_no_match'] = "Passwords do not match";
}
}
This code always says passwords do not match even if I do know passwords are same...
So, where I have gone wrong... ?
Is it OK, if I just used the values without hashing to compare ?
Just use password_hash() and password_verify() (both included in php 5.5+). And if you're on 5.3 - 5.5, use password-compat backwards compatibility library.
A custom password_encrypt() function is un-necessary and very likely less secure then the built-in one. So just use the built-in one.
Unless you share the password_encrypt function it's hard to say.
If the method seeds the encryption uniquely both hashes will be different.
( Could be the reason of your failed check. )
Why not check the raw input instead of the hashed?

crypt() breaks when migrating from PHP 5.2 to 5.4

I have a system running on PHP version 5.2.10 Unfortunately the original programmer misunderstood how crypt() was implemented.
$crypt = crypt(trim($cuPassword), CRYPT_BLOWFISH);
// The programmer thought this is how you configure a blowfish cipher
nb CRYPT_BLOWFISH has a value of zero on this machine.
This works in as much as it produces a random looking password hash eg 0$oZ534I2VvSw
Today, I migrated the software to PHP 5.4.9 and discovered that $crypt becomes *0 , ie an error due to the invalid salt.
My problem is that I have a table of login passwords that I can no longer validate. My question: Is there going to be a way I can recreate the original cipher that ran under version 5.2? What hash was implemented when you passed "0" as a salt?
Your description doesn't really add up. In PHP 5.4.9, I tested this:
var_dump(crypt('hello', 0));
Output:
0$ny0efnQXFkE
Now in PHP 5.5, you'll get *0 when calling crypt('hello', 0). But that's okay! Because this is still true in PHP 5.5: this crypt('hello', '0$ny0efnQXFkE') == '0$ny0efnQXFkE'.
All you need to do is change how you generate your hash for new passwords. Validating existing passwords will continue to work.
For good measure, after people successfully log in, check if their hash begins with 0$. If it does, rehash the password (since they entered it, you know what it is) with the updated, proper crypt call.
I tried all valid two digit combinations (CRYPT_STD_DES) and I found that "0q" is equivalent (nearly).
PHP 5.2.10
crypt(trim($cuPassword), CRYPT_BLOWFISH);
Result = 0$txv6CWBxJ9Y
PHP 5.4.9
crypt(trim($cuPassword), '0q');
Result = 0qtxv6CWBxJ9Y
All I need to do is adjust the second character and I can match passwords again.
No, there's no way you can recreate the original cipher. Otherwise even a boy scout would be able to break blowfish.
Your best chance is to generate a random password for your users and hash it once again, then force them to change the password as soon as they login.
"$" is not a valid salt value according to crypt(3) so you need to find a crypt implementation that's equally broken as the one PHP/libc used to have :)
If verifying old passwords is enough, use Matthews answer, else try e.g. openssl which currently still seems to accept "0$" as salt:
$ echo -n "secret" | openssl passwd -crypt -salt '0$' -stdin
0$z.PXBBy6uY.

Check entered password if its correct, match with sha256 pw in PHP

I have a password;
828b8f98ec52c750bf018c92951c6e40ae3976e74c888e42ff55ff22403932af
I am using Kohana 3 for my Auth login normally.
now i need to make a separate script, where a client can enter his password only and then it should check if the password it correct.
So what im dealing with is:
$real_pwd = '828b8f98ec52c750bf018c92951c6e40ae3976e74c888e42ff55ff22403932af';
$entered_pwd = $_GET['pwd']; // test purposes i know its vuln for sql injection ...
if ( $real_pwd == crypt($entered_pwd) ) { echo "OK"; }
This is not working ofcourse, crypt() is something i tried, but i dont know what to use?
If it was a sha1 pw i could use sha1 for the entered_pwd, but what with sha256?
You could use hash() http://php.net/manual/en/function.hash.php
However I recommend you to have a look at bcrypt and use it for hashing password. Have a look here How do you use bcrypt for hashing passwords in PHP?
Here's some other resources you might find useful:
Secure hash and salt for PHP passwords
Fundamental difference between Hashing and Encryption algorithms

Categories