I'm facing a situation that need to verify password created via PHP password_hash method on nodejs server.
Does nodejs have an available package that equivalent to password_hash and password_verify? Thank you.
In my case i created password in php like below
$data['password'] = password_hash($data['password'],PASSWORD_BCRYPT);
In Node if i want to verify that password than ...
var bcrypt = require('bcrypt');
params.hash = params.hash.replace('$2y$', '$2a$');
bcrypt.compare(params.password, params.hash,async function(err, correct) {
console.log(correct);
});
Hope it will help you .....
No, you will have to make use of one of the many Bcrypt libraries for Node.js.
P.S.: You're basically duplicating another user's question (Verify password hash in nodejs which was generated in php).
Related
My old PHP app has a default admin user and md5 encrypted password created by the SQL that creates the database: insert into users values ( 1, 'admin', MD5('changeMe'), 2 );
Is there a simple way to include a default user and encrypted password using PHP's passowrd_hash function on creating the tables? I ask because I understand that password_hash is a native PHP function and I assume it won't be understood in SQL.
The solution to my problem came in three parts. My OP sought a simple way to create a hashed password for the admin user for insertion in the MySQL database on the installation of the application, using the native PHP password_hash() function.
(1) Based on a suggestion by #Nick and #Tadman, I decided to incorporate setting the hash in an installer script that would set not only the hash but other defined site/application variables.
Rather than inserting user values when the database table is created, it was deferred until immediately after, with the admin user entering their credentials in the form that inserts the hash and writes other definitions to a file:
$userpass = $_POST['userpass'];
echo password_hash($userpass, PASSWORD_BCRYPT);
(2) The second part of my problem was replacing all instances of md5()`` withpassword_hash()` and I achieved that by using a neat PHP script I found online to recursively search and replace the occurrences on the server.
Having replaced the md5() occurrences, I needed to change the hash comparison method and again by searching the relevant files I was able to replace instances of:
if ($p != $theUser->pwd ) {
return( false ); }
with:
if(password_verify($p, $theUser->pwd)) {
// Success!
}
else {
// Invalid credentials
echo "Uh oh!";
}
(3) The third step in resolving the problem was discovering that adding $1$ to the opening of the md5 hash could make it readable by password_hash(); so I just needed to make a couple of adjustments in the installed database to the admin user's old password.
Thanks to those who helped shine the light so I could find my way. I'm off now to invent the wheel and sliced bread.
you can do something like this in php:
$hash = password_hash('changeMe');
//echo $hash;
then use this hash in the Database.
What type of hash does WordPress use?
Here is an example of a WordPress hash:
$P$Bp.ZDNMM98mGNxCtHSkc1DqdRPXeoR.
The WordPress password hasher implements the Portable PHP password hashing framework, which is used in Content Management Systems like WordPress and Drupal.
They used to use MD5 in the older versions, but thankfully, no more. You can generate hashes using this encryption scheme at http://scriptserver.mainframe8.com/wordpress_password_hasher.php.
$hash_type$salt$password
If the hash does not use a salt, then there is no $ sign for that. The actual hash in your case is after the 2nd $
The reason for this is, so you can have many types of hashes with different salts and feeds that string into a function that knows how to match it with some other value.
For manually resetting the password in Wordpress DB, a simple MD5 hash is sufficient. (see reason below)
To prevent breaking backwards compatibility, MD5-hashed passwords stored in the database are still valid. When a user logs in with such a password, WordPress detects MD5 was used, rehashes the password using the more secure method, and stores the new hash in the database.
Source: http://eamann.com/tech/wordpress-password-hashing/
Update: this was an answer posted in 2014. I don't know if it still works for the latest version of WP since I don't work with WP anymore.
MD5 worked for me changing my database manually. See: Resetting Your Password
It depends at least on the version of PHP that is used. wp-includes/class-phpass.php contains all the answers.
I had same problem finding out what kind of Hash does Wordpress Uses .
It is wp hash password.
Example
Compare an already hashed password with its plain-text string:
<?php
$wp_hasher = new PasswordHash(8, TRUE);
$password_hashed = '$P$B55D6LjfHDkINU5wF.v2BuuzO0/XPk/';
$plain_password = 'test';
if($wp_hasher->CheckPassword($plain_password, $password_hashed)) {
echo "YES, Matched";
} else {
echo "No, Wrong Password";
}
?>
See These Links:
https://codex.wordpress.org/Function_Reference/wp_hash_password
https://developer.wordpress.org/reference/functions/wp_hash_password
It uses PasswordHash, which adds salt to the password and hashes it with 8 passes of MD5.
The best way to do this is using WordPress class to authenticate users. Here is my solutions:
1. Include following WordPress PHP file:
include_once(dirname(dirname(dirname(__FILE__))) . DIRECTORY_SEPARATOR . "wp-includes" . DIRECTORY_SEPARATOR . "class-phpass.php");
2. Create an object of PasswordHash class:
$wp_hasher = new PasswordHash(8, true);
3. call CheckPassword function to authenticate user:
$check = $wp_hasher->CheckPassword($password, $row['user_pass']);
4. check $check variable:
if($check) {
echo "password is correct";
} else {
echo "password is incorrect";
}
Please Note that: $password is the un-hashed password in clear text whereas $row['user_pass'] is the hashed password that you need to fetch from the database.
Start phpMyAdmin and access wp_users from your wordpress instance.
Edit record and select user_pass function to match MD5. Write the string that will be your new password in VALUE.
Click, GO.
Go to your wordpress website and enter your new password.
Back to phpMyAdmin you will see that WP changed the HASH to something like $P$B...
enjoy!
Wordpress uses MD5 Password hashing. Creates a hash of a plain text password. Unless the global $wp_hasher is set, the default implementation uses PasswordHash, which adds salt to the password and hashes it with 8 passes of MD5. MD5 is used by default because it's supported on all platforms. You can configure PasswordHash to use Blowfish or extended DES (if available) instead of MD5 with the $portable_hashes constructor argument or property.
include_once('../../../wp-config.php');
global $wpdb;
$password = wp_hash_password("your password");
By default wordpress uses MD5. You can upgrade it to blowfish or extended DES.
On the server side I create a password hash:
public static function salt()
{
return '$1$' . StringUtil::random(6, array('encode' => StringUtil::ENCODE_BASE_64));
}
public static function hash($password, $salt = null)
{
return crypt($password, $salt ?: static::salt());
}
And on client side I want to do the same using CryptoJS.
Is there any analogues in javascript for PHP crypt(), not necessary with CryptoJS?
UPD:
I want to do this on client side because I don't want to send password to server, but something like clientId crypted with hash, decrypt it on the server and get the hash for the next manipulations.
Well, here it is: a CryptoJS implementation of PHP's crypt for MD5-hashes (I guess it's too large to paste). So it's not a complete crypt-like thing but in your code example you are setting up a MD5-based hash (with the $1$ salt prefix).
How to use it:
Store in a file named php-crypt-md5.js
Use it like that ("rollups" is in your CryptoJS directory, just use the correct path):
<script src="rollups/md5.js"></script>
<script src="php-crypt-md5.js"></script>
<script>
function createSalt(len) {
var saltAlpha = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ" +
"abcdefghijklmnopqrstuvwxyz./-+_"
var salt = '$1$';
for(var i = 0; i < len; ++i) {
salt += saltAlpha.charAt(
Math.floor(Math.random() * saltAlpha.length));
}
return salt;
}
// in your JavaScript code:
var salt = createSalt(8);
var pw = "your password";
var hash = CryptoJS.PHP_CRYPT_MD5(pw, salt);
What's the point of encrypting at the client and then decrypting at the server? This is not security, if all the information for encryption is client side, all someone needs to do is look at the JS source to see what your salt is, there is no security there.
The whole point is to send some data (over a secured channel, like https) to the server, then have the server hash it, and compare that hash to something you already have stored.
The security comes from what happens at the server, not from what you do to the data before you send it. A secure connection will prevent man-in-the-middle listening, but anything you have at the client is out in the open, and in no way contributes to security, unless you're using not-in-the-browser information (like having someone paste in their PGP public key along with whatever you send, with the server already knowing this person's PGP private key for authentication verification) in which case the actual data becomes irrelevant because the public key is now the important part...
So yeah, don't do this. It makes you believe you're being extra secure, when in fact you only made things worse.
I'm trying to create a custom registration component for TYPO3 on an external website where TYPO3 is not installed (i just use its database). Problem is i have no experience using TYPO3. I was wondering if anyone knew how to create the correct password encryption for TYPO3? The passwords looks like this :
$P$CeO/XYcbzRH9nLpCwKdp1HhsJGwJum0
I am looking for a php code to create that same encryption and check the password. I have the encrytion key from the install tools which (i believe) is used for the salting.
Or is there a possibility to save passwords as MD5 only? Not the best option but i could be the only one left.
I have found this url:
http://srv123.typo3.org/TYPO3/Extensions/saltedpasswords/4.6/#compatibility-of-other-extensions-with-salted-user-password-hashes
But i have no clue how to implement that in my own script.
Works on typo3 6.X:
$password = 'XXX'; // plain-text password
$saltedPassword = '';
if (\TYPO3\CMS\Core\Utility\ExtensionManagementUtility::isLoaded('saltedpasswords')) {
if (\TYPO3\CMS\Saltedpasswords\Utility\SaltedPasswordsUtility::isUsageEnabled('FE')) {
$objSalt = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance(NULL);
if (is_object($objSalt)) {
$saltedPassword = $objSalt->getHashedPassword($password);
}
}
}
Have a look at the developer guide:
1.5.1 Creating a new salted user password hash from a given plain-text password
You have to use it in the typo3-Frontend:
$password = 'XXX'; // plain-text password
$saltedPassword = '';
if (t3lib_extMgm::isLoaded('saltedpasswords')) {
if (tx_saltedpasswords_div::isUsageEnabled('FE')) {
$objSalt = tx_saltedpasswords_salts_factory::getSaltingInstance(NULL);
if (is_object($objSalt)) {
$saltedPassword = $objSalt->getHashedPassword($password);
}
}
}
But, you should never try to generate salted password outside of typo3 because the encryption depends on your typo3 settings.
By looking at the hash provided I suppose the saltedpasswords extension (responsible for storing salted hashes in the database) in TYPO3 is set to use phpass. You should therefore be able to take this class and use it in your script to create/check passwords the same way as TYPO3 does.
Or is there a possibility to save passwords as MD5 only?
Yes, using salted passwords in TYPO3 is optional and not mandatory. However, if any TYPO3 installation in future would be supposed to use that database, I'm not sure how TYPO3 would handle the mixture of records when some of them would have passwords stored as unsalted hashes and some as salted. My guess is, that it would handle it gracefully, recognising which check to use for each hash.
I have a user auth table with a few thousand records containing a password field encrypted by bcrypt-ruby. I've ported the app in to PHP / Yii and need to use this field for authentication.
Is there a way to retrieve this Ruby-created field in PHP?
Verification
By "retrieve" I mean that I need to authenticate user logins using a PHP / Yii app to interpret a DB table with a password field created by bcrypt-ruby in a Rails app.
I believe this would solve your problem:
$database_record = "something"; // grab from database
$user_input = 'unicorns'; // take real one from post data
$password = crypt($user_input, '$2a$10$usesomesillystringforsalt$');
// key piece above is the second number, that is the 'work' factor
if (crypt($user_input, $database_record) == $password) {
echo "Password verified!";
}
else {
echo 'failed!'; }
This assumes you stored them using BCrypt::Password.create(desired_pass) in Ruby, and were verifying login by BCrypt::Password.new(database_entry) == form_input.
Additionally, to create a new password in your database (i.e. a new user), store the result of
$password = crypt($user_input, '$2a$10$usesomesillystringforsalt$');
Lastly, make sure that you are always using the correct cost factor. The same password with different cost factors will not be equivalent. The default cost factor in bcrypt-ruby is 10 (current version, 3.0.1).
You should have a look at the crypt functions at PHP.net
Here you should be able to to what you want if you've followed bcrypt correctly in Ruby.