I'm using a stored procedure to check the username and password on login attempts. - The passwords are stored using the password() function in MySQL.
And the login works fine, using the stored procedure, the problem is that I have a function that enables the user to change the password, how should I update it? as MD5 through PHP? or should I build a new stored procedure?
Thanks :)
You're not supposed to use the PASSWORD() function for your application-level passwords.
http://dev.mysql.com/doc/refman/5.6/en/encryption-functions.html#function_password says:
Note
The PASSWORD() function is used by the authentication system in
MySQL Server; you should not use it in your own applications. For that
purpose, consider MD5() or SHA2() instead. Also see RFC 2195, section
2 (Challenge-Response Authentication Mechanism (CRAM)), for more
information about handling passwords and authentication securely in
your applications.
If you use a standard cryptographic hash method like SHA2, you can perform the hashing in PHP, using the hash extension. Hashes calculated with the same algorithm in PHP are compatible with those calculated in MySQL.
Related
I have a PostgreSQL database, which have many users. Users' passwords are encrypted in this format:
sha1$678ae$0dd4b5a9588be91a931d1ef1f7e7053477c1478e
This encryption was done with Django (although I don't know if you can encrypt it directly in database).
What I'm trying to do is make a PHP application that can use and validate these users, with those encrypted passwords.
How could I do it?
PS: I'm using PHP 7.
By default, Django stores passwords using the PBKDF2 hash (see their docs). Assuming you have not changed this default, you should be able to hash using PBKDF2 in PHP using the hash_pbkdf2 function.
You'll need to accept a user's password in your PHP app, turn it into a PBKDF2 hash with the same algo, salt, iterations, and length that your Django app uses, and then compare the resulting value against the encrypted password in your Django database to see whether they match.
I am using PHP 7.1.
and create LDAP management page.
When using ldap_add() function.
there's ['userPassword'] field.
When I use below code, that works OK. (If salt does not exist, it's fine.)
$entry['userPassword'] = '{crypt}'.crypt('default_password');
Or below code is also works OK.
$entry['userPassword'] = '{MD5}'.'base64_encode(pack("H*", md5('default_password')));
But I read PHP recommend password_hash() function than crypt().
Can I use password_hash() function for LDAP? Is it possible?
UPDATE:
OK. then what what is the best solution for LDAP password ?
$salt = strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.');
$entry['userPassword'] = '{crypt}'.crypt('defaultpassword', '$2y$10$'.$salt.'$');
This does not work.
PHPs Password-Hashing mechanism is intended for use when you want to handle passwords only within PHP. Then it's great to use password_hash to create and password_verify to verify the password. The used backend here is completely irrelevant.
LDAP on the other hand uses ldap_bind to not only verify a password, but to bind a user to an LDAP-Server. That's like logging into the Server. For that there are different Crypto-Algos that can be used like crypt or md5(which we do not use anymore…).
As this binding-mechanism can be used by different systems to verify a login, the by LDAP supported Crypto-Algos need to be used so that the LDAP-Server can handle the password-verification.
So when you want to use LDAP-Verification via bind on different systems with the password you are storing in LDAP you will not be able to use password_hash.
If you want to use the password only with your PHP-Application you can use password_hash but I would not put it into the userPassword-attribute as that is the one the LDAP-Server uses to verify a password given by bind. And you usually can only read that field when you are authenticated as either an Admin or the user in question, which you won't be able to login as due to the password not being able to be handled by the user. So you'd need to bind to the LDAP as admin-user which adds much more security issues to your application than the use of password_hash solves.
And I would also question what sense it makes to use LDAP as backend when you don't use the benefits of LDAP like one password for multiple systems. It's usually much easier to store informations in a database than to setup an LDAP just for a single project.
I depends on your directory I guess, but commonly passwords in LDAP are stored with a scheme {MD5}, {CRYPT}, etc.
If you want to use something else, you have to be compliant with the mechanisms that are supported by the directory you use.
For the advice about password_hash, the fact is that :
password_hash is only a wrapper of crypt with default options set
password_hash is not intended to create a hash for a dedicated authentication mechanism
It is recommended for developpers who need to store a hash in a database and compare future passwords against this hash without constraint about the hash mechanism used.
The fact that the LDAP protocol support these authentications, you have to comply with the mechanisms supported by the directory.
So as the password_hash function does not seem to provide the choice of the hash mechanism used, I would say that you can't use it. Or at least, it won't provide you more "security" to use it than crypt or other supported and readily available mechanisms in your directory.
I use codeigniter a lot, however I am not really understanding why when I use the encryption library in version 3 the encryption string never comes out the same, even using the same salt/key.
So I have stored a user password as an encrypted string, which uses their own key to encrypt. The key is stored in the database. But when they come to login, and i want to encrypt the entered password to check the strings match, they never do match!
It seems the library always spits out different encrypted strings, no matter if the key is the same or not, how is this going to be useful if I can't match the stored encrypted password to the password they enter at login?
For example, password is 12456 with key a0956f251b9d957071005a2d11e4630a
SAVED PASSWORD IS: 0e6effa48949d6bf19e84530bc86e9a1407086b3b88fc368b6f8b7b53304b313eeebdb695c9cca10b3e7072f608bf4137e7fcc7d24fed54df2b6dcba3f94dcb6Tm05Qmay9G8JuUXps6UstWebmBmJ71BcIPgrW78OvSY=
PASSWORD GENERATED FROM USER LOGIN
6b893dac92155bc663b126b805c7189214ac4667b226f0c6fc22cf0c6bcca5e897c49961e8852ade1c3e85cbecab89df76ea7891727af6bf0bcc232b75d0d441LLUMZgOy4zLwAypuVQuK0lKTXrlXYptKpVdByytH2D8=
935c8f564c4a5ecb53510faa835eca8622069c34d534df6b9c2ea52de2d9bea5976128f6ff83a572ac677be4ebd690bc18e488518c2eed8b1b40a16c9e61d6b2hbKJ6B1VDuLPCXBeDDFzvrlSBIYCtN19M6dQGZRCvUE=
b8e020c7c10d564cfc3a9cc4d50b85ea3422422b73a2dd79930ead1fb601493279ba97645584d6dfa188e62f5eba5dc66d0dafdb7a82c08bf847bc84fc0718daSOVRrDlFmVMB/12ok9kR68ekXJcJvw0yfo/cnU9ojtI=
see they are different every time I try to encrypt the user input? It's not making any sense.
Likewise, if I try to decode the password in the database, with the same key it was encrypted with, I get nothing back, no decrypted password.
So, does anyone know what is going on here?
Randomized encryption is a security property necessary to achieve semantic security. If the encryption would not be randomized then an attacker might detect whether (prefixes of) messages were previously sent only by observing the ciphertexts. You generally don't want the attacker to know anything about the plaintexts except the length.
An encryption function has always a corresponding decryption function. It seems that you're only using one way of the two functions. You should never encrypt your user's passwords. You need to use hashing instead with some strong ones being PBKDF2, bcrypt, scrypt and Argon2. Since hash functions are one-way function, you won't be able to "decrypt" the hashes. In order to authenticate your user, you can run the password through the hash function again in order to compare with the hash that is stored in the database. See more: How to securely hash passwords?
Codigniter documentation:
DO NOT use this or any other encryption library for user password
storage! Passwords must be hashed instead, and you should do that via
PHP’s own Password Hashing extension.
http://www.codeigniter.com/userguide3/libraries/encryption.html
Fully explained here:
http://php.net/manual/en/faq.passwords.php
Try the md5 encryption its good and best till now.
In controller before send password like this:
md5($this->input->post('password));
or use hash() or SHA256/SHA512 they do it well.
It will do the trick.
Enjoy!
I am using php for a basic application to login into the system, be able to edit account information, and delete account. I have a mysql database. I need to encrypt/decrypt password using salt. How do I do it? Just need to make sure data is secure.
You don't want to encrypt passwords. You want to hash them.
Some reading:
http://php.net/manual/en/faq.passwords.php
Related SO post: how to hash the password and get it back
Passwords should be hashed, in contrast to encryption this is a one-way function, that should make it impossible to get back the original password.
Store only the hash-value in the database, and compare against this value for login.
Use a unique salt per password, it can be stored plaintext in the same database field as your hash-value.
Use a slow key-derivation function like Bcrypt, to prevent brute-force attacks.
It's recommended to use a well established library like phpass to build the hashes. For further reading have a look at this tutorial.
We have a PHP application that stores passwords just using the MD5 function (with no salt).
We have OpenSSH set to use pam-mysql to authenticate users from the same database.
We would like to switch to use hashed passwords and we are considering either: 1. doing it ourselves, (something like md5($salt."$".$password) or hash("sha256", $salt."$".$password)), or 2. using php's crypt function (which uses the OS crypt(3) if available).
The problem is that I have not found whether pam-mysql supports crypt(3) or any replacement pam module that does.
crpyt(3) uses a user supplied algorithm and salt: crypt('password', '$5$saltstring$') for sha256 which returns $5$saltstring$OH4IDuTlsuTYPdED1gsuiRMyTAwNlRWyA6Xr3I4/dQ5. Any language that uses the crypt(3) library will see that string and know to use sha256 with the given hash and expect the given result.
Is the first method sufficient or is there some PAM module out there that supports MySQL and crypt(3)?
Use sha512, either a mysql implementation or a php implementation. If you use md5 you're using a known insecure function which opens you up to liability.
you may also use 3DES encryption for stronger security.