I have found this post helpful MySQL password() function to PHP but I am having trouble applying the solution offered there to my problem.
A password was stored in a Mysql using Password(). I want to adapt this script to compare the entered password with the one stored in the database, rather than use the 'crypt()' function.
public function authenticate($user,$pass) {
$mysqli = new mysqli(DBHOST,DBUSER,DBPASS,DB);
if ($mysqli->connect_errno) {
error_log("Cannot connect to MySQL: " . $mysqli->connect_error);
return false;
}
$safeUser = $mysqli->real_escape_string($user);
$incomingPassword = $mysqli->real_escape_string($pass);
$query = "SELECT * from users WHERE username ='{$safeUser}'";
if (!$result = $mysqli->query($query)) {
error_log("Cannot retrieve account for {$user}");
return false;
}
// Will be only one row, so no while() loop needed
$row = $result->fetch_assoc();
$dbPassword = $row['password'];
if (crypt($incomingPassword,$dbPassword) != $dbPassword) {
error_log("Passwords for {$user} don't match");
return false;
}
$this->id = $row['id'];
$this->firstName = $row['first_name'];
$this->lastName = $row['last_name'];
$this->username = $row['username'];
$this->email = $row['email'];
$this->dateJoin = $row['dateJoin'];
$this->school = $row['school'];
$this->level = $row['level'];
$this->isLoggedIn = true;
$this->_setSession();
return true;
} //end function authenticate
Is there an easy way to adapt this script? Do I just add
AND `password` = PASSWORD('{$incomingPassword}')
to my query? This seems a little clumsy.
Are you really sure the passwords where hashed with the MySql Password() function, because this function is not meant to be used in applications? It is not possible to store passwords safely and verify passwords in an SQL-query directly.
You really should use a slow hashing function like BCrypt, and salting is mandatory. That means, that you need a two step process, first get the stored password hash by username with an SQL-query, then extract the salt from the hash and do the verification.
The recommended way to hash passwords with PHP is the new function password_hash():
// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);
// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);
If you are interested in more in-depth information about this topic, you can have a look at my tutorial about safely storing passwords.
Related
I have question about valid hashing passwords:
login.php
$login = $_POST['login'];
$password = $_POST['password'];
$hash = password_hash($password, PASSWORD_DEFAULT);
if(!empty($login) && !empty($password) && password_verify(??){
I want to make secure login and I know that I have to verify the inputted password with existing hash (stored in database?). Also I know that bcrypt everytime makes new hash (because of different salt size etc).
The problem is that I don't know how to put this hash into database because I don't want to register new users, I have static list of users (exactly two: admin and user).
I tried manually copy/paste hash but it wouldn't work as I mentioned earlier that every time I run script new hash is created.
Can anyone help me how to put bcrypt hash in database (only once) so I can only check if inputted password is same as the one in database?
Do I need extra variables to store this hash?
EDIT:
login.php
<?php
session_start();
include("log.php");
include("pdo.php");
$login = $_POST['login'];
$password = $_POST['password'];
$adminHash = '$2y$10$lxPRtzzPDUZuPlodhU4QquP.IBrGpkjMNplpNgN9S1fEKd64tJ5vm';
$userHash = '$2y$10$Klt345wT66vA.4OAN5PEUeFqvhPQJ4Ua/A4Ylpc1ZcnJZv/hafgSu';
if(!empty($login) && !empty($password) && (password_verify($password, $adminHash) || password_verify($password, $userHash))){
$query = $pdo->prepare('SELECT * FROM xx WHERE login = ? AND admin = ?');
$query->execute(array( $login, 1));
$result = $query->fetchAll();
if(!empty($result)) {
$_SESSION['logged_admin'] = 1;
}
else {
$query->execute(array( $login, 0));
$result = $query->fetchAll();
if(!empty($result)) {
$_SESSION['logged_user'] = 1;
}
else {
$_SESSION['logged_error'] = 1;
}
}
}
else $_SESSION['logged_error'] = 1;
header("Location:index.php");
?>
it seems to be working but i dont know if it's best/safest solution.
With more passwords it will be too complicated i guess, still looking for best option!
What if i need more users? now every user have same hash and it's dangerous i get it, how to make it safe? generate hash for every user and make array or hashes?
You fetch first the one that has password_hash() from your database, and then compare it with password_verify($password, $storedpassword) like this : link
I'm looking for a simple (or as simple as possible) yet secure method for hashing and salting a users password when submitting it to the database and then retrieving from the database. Having spent the past 3 hours researching, there are literally hundreds of different methods that each person will say is the best method.
I'm looking for a relatively simple method that will also keep users accounts secure. Obviously the term secure can be interpreted differently, but i just want it, at the very least, be very difficult for a would-be hacker (or whatever you'd call these saddo's) to gain access to a users account.
I appreciate that i should have at least tried a few things, but they all seem so convoluted and overly secure for my purpose.
I tried using password_hash() but it appears i'm running an earlier PHP version than 5.5. I understand there are issues with the code below, but it's simply a starting point for a person project i'm working on in order to better learn PHP.
Current registration form
$username = $_POST['username'];
$password = $_POST['password'];
try {
$result = $db->prepare("INSERT INTO
user_info
SET
username = :user,
pass = :pass
");
$result->bindParam(':user', $username);
$result->bindParam(':pass', $password);
$result->execute();
}
catch (Exception $e) {
echo "Could not create username";
}
if (isset($_POST['submit'])) {
foreach ($_POST as $field) {
if (empty($field)) {
$fail = true;
}
else {
$continue = false;
}
}
if ($field == $fail) {
echo "You must enter a username and/or password";
}
else {
echo "Your account has been successfully created.";
}
}
The login logic
$username = $_POST['username'];
$password = $_POST['password'];
try {
$result = $db->prepare("SELECT username, pass FROM user_info WHERE username = :user AND BINARY pass = :pass");
$result->bindParam(':user', $username);
$result->bindParam(':pass', $password);
$result->execute();
$rows = $result->fetch(PDO::FETCH_NUM);
}
catch (Exception $e) {
echo "Could not retrieve data from database";
exit();
}
if ($password = $rows) {
session_start();
$_SESSION['username'] = $_POST['username'];
$_SESSION['loggedin'] = true;
include("inc/redirect.php");
} else {
if (isset($_POST['login'])) {
echo "Username or password incorrect (passwords are case sensitive)";
}
}
Use sha1 function http://www.php.net/manual/en/function.sha1.php
It's really simple. Pass the password in input parameter then save it in the database.
When you want to check if password is correct you just have to compare the sha1(password) with the stored value.
Example :
$passwordEncrypted = sha1($password)
save $passwordEncrypted in your database
When the user want to login :
check this condition :
if (sha1($password) ==$passwordEncrypted )
Here is the complete code :
$username = $_POST['username'];
$password = $_POST['password'];
$passwordEncrypted = sha1($password)
try {
$result = $db->prepare("INSERT INTO
user_info
SET
username = :user,
pass = :pass
");
$result->bindParam(':user', $username);
$result->bindParam(':pass', $passwordEncrypted);
$result->execute();
}
catch (Exception $e) {
echo "Could not create username";
}
if (isset($_POST['submit'])) {
foreach ($_POST as $field) {
if (empty($field)) {
$fail = true;
}
else {
$continue = false;
}
}
if ($field == $fail) {
echo "You must enter a username and/or password";
}
else {
echo "Your account has been successfully created.";
}
}
With password_hash() you are on the right track. For PHP versions 5.3.7 - 5.5 you can use the compatibility pack, later when you switch to a newer PHP version, you can simply remove this php file from your project and the code will still run.
// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);
// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);
Even for lower PHP versions than 5.3.7 you can use the compatibility pack. You only have to edit line 55 and change the algorithm from sprintf("$2y$%02d$", $cost); to sprintf("$2a$%02d$", $cost);. This is of course not optimal, but it is the best you can do for PHP between 5.3 and 5.3.7.
The problem with other algorithms like SHA* or MD5 is, that they are ways too fast. It is possible to calculate about 3 Giga SHA-1 per second with common hardware, that makes brute-forcing too easy. To test a whole english dictionary you would need only a fraction of a millisecond. That's why one should use a hash algorithm with a cost factor like BCrypt or PBKDF2, they allow to control the necessary time to calculate a single hash.
Look at this question:
https://stackoverflow.com/questions/3897434/password-security-sha1-sha256-or-sha512
You can use hash function
http://www.php.net/manual/en/function.hash.php
Use salt and sha256 encryption algorithm
<?php
// create user
$password = $_POST['password'];
$salt = mcrypt_create_iv(22, MCRYPT_DEV_URANDOM);
$pass = hash("sha256", $salt.$password.$salt);
// save salt and password hash into database
// to validate user
// 1 - get salt and password hash from database
// 2 - prepend and append salt to the posted password
// 3 - encrypt with the same algorithm
// 4 - compare with stored password hash.
I am having a serious issue with trying to validate my password when logging into my site. I am using php to create a blowfish encrypted password with salt using the code below.
<?php
function cryptPass($p, $rounds = 9) {
$salt = "";
$saltChars = array_merge(range('A','Z'),range('a','z'),range('0','9'));
for($i = 0; $i < 22; $i++){
$salt .= $saltChars[array_rand($saltChars)];
}
return crypt($p, sprintf('$2y$%02d$', $rounds) . $salt);
}
?>
This works fine and the crypted password is put into my mysql database. the problem is on login it will not validate. this is the login script.
if(isset($_POST["u"])){
// CONNECT TO THE DATABASE
include_once("php_includes/db_connect.php");
// GATHER THE POSTED DATA INTO LOCAL VARIABLES AND SANITIZE
$u = mysqli_real_escape_string($db_connect, $_POST['u']);
include_once("php_includes/hasher.php");
$p = (cryptPass($_POST['p']));
// GET USER IP ADDRESS
$ip = preg_replace('#[^0-9.]#', '', getenv('REMOTE_ADDR'));
// FORM DATA ERROR HANDLING
if($u == "" || $p == ""){
echo "login_failed";
exit();
} else {
// END FORM DATA ERROR HANDLING
$sql = "SELECT id, username, password FROM users WHERE username='$u' AND activated='1' LIMIT 1";
$query = mysqli_query($db_connect, $sql);
$row = mysqli_fetch_row($query);
$db_id = $row[0];
$db_username = $row[1];
$db_pass_str = $row[2];
if($p != $db_pass_str){
echo "login_failed";
exit();
} else {
//goto the users account
should I not be running the cryptPass function on the incoming user data?
Also of note would be that the mysql database password column is set up as VARCHAR(255) so its got plenty of room. At this point the password crypts right, I am just not able to compare it to the one in database properly. This is my first real try with blowfish pieced together from tutorials all over, I wanted to get away from md5 as php.net advises. Any help would be greatly appreciated. Thanks in advance for reading this.
Here's a slightly more in-depth demonstration as what's found on the PHP crypt() man page:
// Only for demonstration, see mcrypt_create_iv() for a better salt:
// http://php.net/manual/en/function.mcrypt-create-iv.php
$salt = substr(sha1(date('r')), rand(0, 17), 22);
$cost = 10;
$hash = '$2y$' . $cost . '$' . $salt;
$pass = 'mypass';
$notpass = 'notmypass';
$hashed = crypt($pass, "$hash");
echo "
Hash:
$hash
Hashed:
$hashed
Verified:
" . crypt($pass, $hashed) . "
Not Verified:
" . crypt($notpass, $hashed);
https://ignite.io/code/51323c3aec221e7b73000000
Which gives (at least this time):
Hash:
$2y$10$a80ded6289240c2e41a5e4
Hashed:
$2y$10$a80ded6289240c2e41a5euUFPvmt.sb6lBwOE.JTAdxQsDWmmM.Me
Verified:
$2y$10$a80ded6289240c2e41a5euUFPvmt.sb6lBwOE.JTAdxQsDWmmM.Me
Not Verified:
$2y$10$a80ded6289240c2e41a5euj06Emi8HigWM6BpqVFZ.ZtpA9wK5c8G
To verify the password you need the salt that was used to create the first password hash. This salt is included in the output string of the crypt() function, and crypt can extract this salt from the password hash.
You can see well how it works when you look at the new hash functions from PHP 5.5 password_hash() and password_verify()...
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);
$isPasswordCorrect = password_verify($password, $existingHashFromDb);
...the function that verifies the login password, needs the hash of the first password. It then can extract the salt and the cost factor from this string, to hash the login password with the same parameters.
I can recommend this new functions, there is a compatibility pack for earlier versions.
I have registered a new user and saved the username, password & salt in the DB using the following hashing method:
if(isset($_POST['register']))
{
$password = $_POST['password']
function sanitize($data)
{
$data=trim($data);
$data=htmlspecialchars($data);
$data=mysql_real_escape_string($data);
return $data;
}
$password = sanitize($password);
function createSalt()
{
$salt = bin2hex(mcrypt_create_iv(32,MYCRYPT_DEV_URANDOM));
$hash = hash("sha256", $salt);
$final = $salt.$hash;
return $final;
}
$hashedPassword = hash("sha256", $password);
$salt = createSalt();
$hashedPassword = hash("sha256", $hashedPassword.$salt);
$query = sprintf("INSERT INTO users(username, password, salt) VALUES('%s','%s','%s')",$username, $hashedPassword, $salt);
}
And Later while trying the login.php, I am entering the same password which I saved during registration and using the below code to check if the entered password is the same as the one in the DB
if(isset($_POST['login']]))
{
$password = $_POST['password']
function sanitize($data)
{
$data=trim($data);
$data=htmlspecialchars($data);
$data=mysql_real_escape_string($data);
return $data;
}
function validateUser()
{
session_regenerate_id (); //this is a security measure
$_SESSION['valid'] = 1;
$_SESSION['username'] = $username;
}
$password = sanitize($password);
$query = sprintf("SELECT * FROM users WHERE username = '%s'",$username);
$sql = mysql_query($query);
$count = mysql_num_rows($sql);
$row = mysql_fetch_array($sql);
if($count<1)
{
echo $count;
unset($_POST['login']);
header("location:login.php");
exit;
}
$hash = hash("sha256", $password);
$salt = $row['salt'];
$hash = hash("sha256",$hash.$salt);
echo $hash."<br />".$row['password']."<br /><br />";
if($hash != $row['password'])
{
unset($_POST['login']);
header("location:login.php");
exit;
}
else
{
validateUser();
unset($_POST['login']);
header("location:index.php");
exit;
}
}
These passwords are not getting matched.
Kindly let me know what's wrong in this code.
There is nothing wrong with your code.
the salt value stored in the database is truncated because the varchar value is low increase the varchar value of your salt column to 200-300 something and than try this.. it will run fine.
I facepalmed when I found out this was screwing the result..
Dins
Actually i didn't see why this should not work, the code you have shown, should produce the same value, maybe you could check, whether the salt you read from the database is really the same as you wrote to the database.
Nevertheless i would not engourage to go further on this route, there are quite a lot of problems here.
First of all, SHA-256 is not a good choice to hash passwords, instead use a slow key-derivation function like BCrypt.
You should not escape input data without need, and if you need to escape them, you should do it only for the specific target system (htmlspecialchars and mysql_real_escape_string make no sense if you are going to calculate a hash anyway).
To create a salt, you use the random source, that is good. Using a hash afterwards creating the salt, will in no way make the salt more random.
There is no need to have two separate fields for password and salt in the database. Php's crypt() function will create a hash value, that already contains the salt.
I would invite you to read this tutorial about hashing passwords, you will find a PHP example too, and i would recommend to use the phpass library.
A simple Registration and login page for a website. I am trying to crypt the password + salting. That's what I have done but I am not sure if its correct.
This is what happens in the registration page:
$blowfish = '$2a$10$';
$salt = '8dF$d_3';
$hashedPass = crypt($password,$blowfish . $salt);
In the database, the password "RAYray99" is stored as "$2a$10$8dF$d_3$$$$$$$$$$$$$$.wxsfa7X.nkcGqldJ9fujdd8eY.H85uC"
On the login page, I am stuck on how to check the password entered with the password in the database.
This is the loging php script that verifies the user:
mysql_connect("$db_host", "$db_username", "$db_pass") or die(mysql_error());
//select the database or return error message
mysql_select_db("$db_name") or die("database does not exist");
$email = stripslashes($_POST['email']);
$email = strip_tags($email);
$email = mysql_real_escape_string($email);
$password = ereg_replace("[^A-Za-z0-9]", "", $_POST['password']); // filter everything but numbers and letters
$password = crypt($password);
$sql = mysql_query("SELECT * FROM members WHERE email='$email' AND password='$password' AND activateemail='1'");
$login_check = mysql_num_rows($sql);
if($login_check > 0){
while($row = mysql_fetch_array($sql)){
// Get member ID into a session variable
$id = $row["id"];
session_register('id');
$_SESSION['id'] = $id;
// Get member username into a session variable
$username = $row["username"];
session_register('username');
$_SESSION['username'] = $username;
// Update last_log_date field for this member now
mysql_query("UPDATE members SET lastlogin=now() WHERE id='$id'");
// Print success message here if all went well then exit the script
header("location: account.php");
exit();
} // close while
} else {
// Print login failure message to the user and link them back to your login page
print '<br /><br /><font color="#FF0000">ERROR TRY AGAIN </font><br />;
exit();
}
My question is how would I verify the login passsword entered on the login page with the 1 in the database.
Thank you,
Ray
To verify the password you should be hashing the entered one exactly the same way you did when you stored it in the first place.
I see some issues with what you have. First, the blowfish string for crypt() specifies, according to the PHP docs, that after your $2a$10$ should be a 22 character string from the alphabet of ./0-9A-Za-z. Your salt isn't following that, so the hash function is probably failing completely (though I'm not certain).
Also, your salt shouldn't be a constant in your app, it should be unique to each user and stored in the db along with their hashed password.
Finally, you shouldn't be doing those transformations to the password before hashing it. Break out a function that has the plaintext password as input, and outputs the hashed password. Use this function both when you store the password, and when you attempt to validate the login. That way you know for sure it should match the database.
I am using a mapper for my sql queries (doctrine2).
My passwords are saved with md5 + salt in my db
public function setPassword($password) {
$this->_password = self::encodePassword ( $password );
return $this;
}
/**
* This function encodes the password to md5 after adding a salt
* #param string $password
*/
public static function encodePassword($password) {
$salt = 'dsa7893ujlksdsagkz27392kjsjaldksju928ikljda27';
return md5 ( $password . $salt );
}
My login looks like this ...
/**
* Executes an authentication try
*
* #throws Zend_Auth_Adapter_Exception if the authentication failed
* #return Zend_Auth_Result
*/
public function authenticate()
{
//check if login is correct
try{
$user = $this->_em->getRepository('App_Model_User')
->findOneBy(
array(
'_email' => $this->_login,
'_password' => App_Model_User::encodePassword( $this->_password )
)
);
}catch( Exception $e ){
throw new Zend_Auth_Adapter_Exception( 'authentication failed', 0, $e );
}
.............
$password = $_POST['password'];
$str = "$2a$10$8dF$d_3$$$$$$$$$$$$$$.wxsfa7X.nkcGqldJ9fujdd8eY.H85uC";
if (preg_match('/^(.{7})(.{7})(.+?)$/', $str, $m))
{
$blowfish = $m[1];
$salt = $m[2];
$hashedPass = $m[3];
$validHashedPass = crypt($password,$blowfish.$salt);
if ($validHashedPass == $hashedPass)
{
good pass
}
else
{
wrong auth
}
}
I have a class built just for this case. It uses the sha1() hashing function and PDO prepared statements to prevent SQL injections. I'll try to find it and post it here, but if I don't, this is my advice to you:
Use a hashing function, not a crypting one.
Don't use mysql_* as it does not support prepared statements. Use PDO or at the very leat, mysqli.
As #Brad pointed out it'll be simpler (and to some extent safer) to hash the passwords instead of encrypting them.
MySQL supports both MD5 and SHA1 hashes anyhow.
One of the advantages of going this route is you can do either:
$pass = md5($salt . $pass);
$SQL = "SELECT * FROM users WHERE username = '$user' AND pass = '$pass';";
OR directly on the database
$SQL = "SELECT * FROM users WHERE username = '$user' AND pass = MD5('{$salt}{$pass}')";