I am trying to use my stored passwords from Laravel 4 in a fresh Phalcon Installation. I have no idea whether this is possible and tried it this way in the SessionController of the Phalcon sample-apllication INVO:
#$password = sha1($password);
$password = password_hash($password, PASSWORD_BCRYPT);
Can I use another Hash-Algorythm in phalcon, that fits to Laravel 4 Passwords, or can I convert the hashes somehow?
You should be able to use laravel hashses - all you need to do is to check how Laravel is creating and checking them.
Check this code from BCryptHasher::make() and this for validating.
The problem is that in Laravel this algorithm is a bit different. First is obtaining user from database then checking if password is the same with password_verify. While in INVO you first hash the given password and then you search for a user with given email and hash - if it finds anything then it can log user. Below should do the trick knowing the $cost value from Laravel settings (class defaults to 10).
$password = password_hash($value, PASSWORD_BCRYPT, array('cost' => $cost));
Edit: while above would be true for SHA1 & similar. The INVO code should be changed to match the login algorithm in Laravel and BCrypt itself:
$user = Users::findFirst(array("email = :email: AND active='Y'", 'bind' => array('email' => $email));
if ($user != false && password_verify($user->password, $this->request->getPost('password'))) {
// login user
}
Laravel is using BCrypt for a reason - it is generally very good choice for hashing so you should stick to it.
Anyway you could write a password migration which will do upon each user successful login:
validate user password using old hashing algorithm
checks if User has migrated it's password (ie by checking some database field - or separated table)
hash given password with new algorithm
store new hash and update user table (with information that hash has been changed)
Which is rather complicated and should be needed only when migrating to "better" algorithm.
Related
I created user and I gave him password 'secret'.
The hash that was generated by the registration process is
$10$TKh8H1.PfQx37YgCzwiKb.KjNyWgaHb9cbcoQgdIVFlYg7B77UdFm
I wanted to generate it in the code so I used Hash::make('secret') and I got:
$2y$10$Hnbg7DCp2VObns4cbr580uo9VTYgzJF2BSNSpA7S8BYjkAgfUlH.G
finally I used bcrypt('secret') and I got:
$2y$10$5g1bhkHB7kRk8SkM3yS/YOifsEesjZ31YeYnRlE.bxSBmZutVCuui
These are all different hashes, How can I generate one that would let me change password inside my code?
It's because bcrypt doesn't work as SHA-256, it uses a key that would change the result of the hash itself for the same string.
In Laravel, you can use Hash::check('plain-text', $hashedPassword) to check the password, but you will never have the same result for the same password. check here
You can use bcrypt(secret") and leave it at laravel and test it (everything is working).
It works as intended, bcrypt doesnt always generate the same hash. Laravels Hash::check() function will return true for any valid hash of the given password.
For mor informations, look here: https://stackoverflow.com/a/8468936/6622577
Bycrypt is a more secure password hashing algorithm. Unlike md5() or SHA1() bycrypt does not always generate the same hashed value for a specific string.
So when you are storing the hashed password in the database you will use
$password = bcrypt($input['password']);
Afterwards, when you wish to check at the time of login you simply set the plain-text password (As you might be getting it from user input) and run a function called Auth::attempt() to match the password.
$userdata = array(
'username' => $input['username'],
'password' => $input['password'],
);
if (Auth::attempt($userdata)) {
// Password matched
}
And if you want to explicitly check the plain-text password corresponding to its hash then use Hash::check() as below:
Hash::check('plain-text-password', 'hashed-password);
please please someone help me , my boss would kill me , this code is not working in laravel , because password is hashed , it is bcryted , how do i compare and get my us_id ( wich stands for username_id ) , the one that tried to login but has the wrong password , do you have any suggestioin , what i'm trying to do is very simple , i'm trying to understand if the user entered a wrong password but his/her username is right . i am beginner . sorry for that :( . i know this won't work , but what should i do to understand if the user entered a wrong password ?
public function login(Request $request, Logs $logs)
{
$password = $request->input('password');
$myuser = \DB::table('users')->where('password', $password)->first();
if (\Hash::check($password, $myuser->password)) {
$logdata = $myuser->id;
$logs->insert($logdata);
return view('MainPages.example', ['pass' => $password]);
}
}
The password is hashed by Laravel, so use the Hash::check() method:
if (\Hash::check($password, $myuser1->password)) {
The Laravel Hash facade provides secure Bcrypt hashing for storing user passwords. If you are using the built-in LoginController and RegisterController classes that are included with your Laravel application, they will automatically use Bcrypt for registration and authentication.
https://laravel.com/docs/5.5/hashing
You can't expect this to work.
Passwords are stored encrypted. Multiple people could theoretically have the exact same password, but none of them would look identical when stored. Therefore you don't know what to look for in the record, even if you know what password you are looking for because you don't know what salt was used for the particular record where it is stored.
You just can't retrieve a record on a password lookup like this. Rather, you have to retrieve the record first (based on some other key, eg. username or id) and then see if the password encrypts to match from the given password that has the ever important salt.
What type of hashing algorithm is used by default for passwords in Laravel. If we want to change the password in the database then how can we identify the hash type of the password?
According to Laravel Documentation :
The Laravel Hash facade provides secure Bcrypt hashing for storing
user passwords. If you are using the AuthController controller that is
included with your Laravel application, it will be take care of
verifying the Bcrypt password against the un-hashed version provided
by the user.
Likewise, the user Registrar service that ships with Laravel makes the
proper bcrypt function call to hash stored passwords.
Hashing A Password Using Bcrypt
$password = Hash::make('secret');
You may also use the bcrypt helper function:
$password = bcrypt('secret');
Verifying A Password Against A Hash
if (Hash::check('secret', $hashedPassword))
{
// The passwords match...
}
Checking If A Password Needs To Be Rehashed
if (Hash::needsRehash($hashed))
{
$hashed = Hash::make('secret');
}
You can also use laravel/tinker to update/create/delete/etc data in the DB table from console, for example:
php artisan tinker
>>$user = App\Models\User::find(2);// or User::find(2)find user with id 2
>>$user->password = bcrypt('test83403'); //change password
>>$user->save(); //save the new change
2 and I am having a problem while i register and login a user.
I worked on codeigniter as following code has been used to store password and hash:
array('user_login_salt' => md5($time_now),'user_login_password' => md5(md5(md5($time_now) . $password)),
'user_password_hash' => $this->encrypt->encode($password, md5(md5(md5($time_now) . $password))),
'user_security_hash' => md5($time_now . $password))
and when i log in the use then check the password as per condition as follows:
md5(md5(strtolower($this->encrypt->decode($user_details_array['user_password_hash'], $user_details_array['user_login_password']))))=== $user_password..
Now in laravel I want to do the exact same thing for register a user and user login. What i need exactly is i need to store user login salt, user login password, user password hash and user security hash. Security hash must be 32 character long exactly..
So please looking for any solution which registers the user in the same way and login by user_password_hash...
Thank you
Solution 1: Use Laravel build-in auth for login, logout
- In Console run
php artisan make:auth
This command creates users table, UserController and User Model. Now you can access yoururl/login,..etc
Solution 2: Handle manually with Hash in Laravel. Ex: In Controller
- Hash password
$hashedPassword = \Hash::make($password);
- Compare password
// Return true if password matches hash
$check = \Hash::check('plain-text-password', $hashedPassword)
I'm wondering how to use Hash::needsRehash() as I'm struggling to see using the documentation exactly what it's for.
if (Hash::needsRehash($hashed)) {
$hashed = Hash::make('plain-text');
}
What exactly causes Hash::needsRehash() to return true or false, does it return true if the hashed password is in another hash (such as MD5, SHA1 etc)?
In the case that your database is full of hashes in another algorithm and Hash::needsRehash() returns true, how would you rehash the users password so that it's they're up to date? You can't rely on the "login" password because it needs to be compared first to validate, right?
I guess maybe I'm overthinking things but I'm confused right now. Luckily my users passwords are using password_hash() anyway so shouldn't be a problem.
Hash::needsReHash() just calls php's built-in password_needs_rehash function. A helpful comment in the docs is:
// Check if a newer hashing algorithm is available
// or the cost has changed
if (password_needs_rehash($hash, PASSWORD_DEFAULT, $options)) {
So Hash::needsReHash() will return false if and only if hashing algorithm has changed (since you're not passing any options such as cost).
As for how and when to use this, you can only rehash a user's password when you have it -- e.g. when they're logging in. So during the login process, you check if their stored password's algorithm differs from your current algorithm, and if so, you replace their stored password hash with a new one.
This seems to be how to do it in Laravel 5.6
Put this in your LoginController:
protected function authenticated(Request $request, $user) {
if (Hash::needsRehash($user->password)) {
$user->password = Hash::make($request->password);
$user->save();
}
}
https://laravel.com/docs/5.6/hashing#basic-usage
The method returns true when PHP is updated and a new/better default algorithm was added or any other parameters changed. This lets you automatically take advantage of it without updating your code.
This method is used when a user is logging in as that is the only time you have access to the plain-text password. After confirming it is correct according to the old hash, you take the plain text password, rehash it, and put it back into the database for future use.
For a hypothetical example, lets say that right now the algorithm is md5() 10k times. In PHP7, it was updated to sha512() 15k times. If the hash is in the $count|$algo|$hash format, the method can tell when a hash is outdated. Since the old algorithm was not removed, you can still validate the password with old parameters before rehashing.
Note: obviously using md5()/sha512() is a bad idea. I'm just using them as examples.