i got my login page, and on it I am also using it to autheticate both username and password.
im stuck on checking the password against that provided in the database. This is because I've done this code in my registration for more security.
$hashed_password = crypt('pass1');
Would anyone be able to assist me in creating a if statement to check the database encrypted password to that of the user provided. I really appreciate it.
in the login page....this is my password post.
$password = htmlentities(trim($_POST['password']));
// let the salt be automatically generated
$hashed_password = crypt('mypassword');
// You should pass the entire results of crypt() as the salt for comparing
if (crypt($user_input, $hashed_password) == $hashed_password) {
echo "Password verified!";
}
EDIT
crypt() takes two paramaters, and second is so called salt (see wiki). If not provided, salt will be autogenerated (hence can be considered random). Salt is used in the whole alghorithm, therefore to compare you want to crypt() user provided password with the same salt you did before otherwise result will be different. To make this possible salt is added to crypt result (at the begining) so providing previous result for comparion purposes simply feeds crypt() with old salt (it is either 2 or 12 chars depending on alghoritm used).
Related
Actually my problem is hash_password make a diffrent hash each time with same word i dont know how to check my input password with data base
I have a hashed password in my db and im trying to hash my input with same algorythm but i get a diffrent value
$pass = password_hash($_post["pass"] , ARGON2I);
If($pass === $admin["Pass"]){
echo "success";
else
echo "failed";
Assuming the language is PHP:
password_hash creates a unique hash each time even for the same password, this is because there is a random salt used each time. The salt is included in the result of password_hash.
To verify the hashed password use password_verify which uses the salt saved with the hash to compare and return a match or not.
The reason for the unique hashing is so that two users with the same password do not hash to the same value so that knowing one does not allow knowing other user's passwords from a matching hash.
See the linked documentation.
ive been reading up about the php 5.3+ password_hash - but have a few questions, plz excuse me if im being daft. Seems 1 big catch point for making strong user password hashes is using random salts as opposed to static ones. If im checking a user logging in, surely I have to somehow have a copy of the salt used (stored in db) to check? If thats the case, do i use a secure salt function (bcrypt salt functions) and store that string in the db (and recreate with each new login) or what?
I have this:
$options = [
'cost' => 11,
'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM),
];
When i echo $options['salt'] I get odd characters which i prob couldnt store in a db. Im used to the old (insecure) method of storing a random salt in the db and using that (statically) for user login auth, but the dynamic/random salt is throwing me off a bit. What am i missing? The random salt changes each time, so if i stored it now, and the user re-logged in the hash would be different so the db password wouldnt match the posted one..??
Thanks~
Seems 1 big catch point for making strong user password hashes is using random salts as opposed to static ones.
Random salts are the default behavior of both PHP 5.5's password_hash() and the userland implementation, password_compat.
If im checking a user logging in, surely I have to somehow have a copy of the salt used (stored in db) to check?
The salt is included in the password hash itself. There is no need to store it separately.
The random salt changes each time, so if i stored it now, and the user re-logged in the hash would be different so the db password wouldnt match the posted one..??
That's the responsibility of the password_verify() method. From the PHP docs:
Note that password_hash() returns the algorithm, cost and salt as part of the returned hash. Therefore, all information that's needed to verify the hash is included in it. This allows the verify function to verify the hash without needing separate storage for the salt or algorithm information.
EDIT: Password Verification and Random Salts
I think I understand where your confusion is coming from. Hopefully this will help explain password hashing, verification, and the part played by random salts.
If you look at the source of password_compat (https://github.com/ircmaxell/password_compat/blob/master/lib/password.php), you'll see that both password_hash() and password_verify() make use of PHP's crypt() function. When you create a password with password_hash(), you store it and never pass that password through password_hash() again. The algorithm, cost, and salt are all returned with the hash. Example:
$options = array('salt' => 'ThisIsTheSaltIProvide.');
$hash = password_hash('password', PASSWORD_DEFAULT, $options);
// $hash = $2y$10$ThisIsTheSaltIProvide.EcCQwybvWB3iNxIv9FwsPJEWhR/ywZ6
We could have created the same hash by using crypt directly, which is precisely what password_hash() does behind the scenes.
$hash = crypt('password', '$2y$10$ThisIsTheSaltIProvide.');
// $hash = $2y$10$ThisIsTheSaltIProvide.EcCQwybvWB3iNxIv9FwsPJEWhR/ywZ6
The hash consists of:
Algo information: $2y$ (BLOWFISH)
Cost param: 10
An extra $
The salt: ThisIsTheSaltIProvide.
Using that information, password_verify() reproduces the hash and then compares it to the persisted hash, like so:
$existingHash = $2y$10$ThisIsTheSaltIProvide.EcCQwybvWB3iNxIv9FwsPJEWhR/ywZ6
$testHash = crypt('password', '$2y$10$ThisIsTheSaltIProvide.');
// if $existingHash and $testHash match, then the password is good
A new, additional salt never comes into play.
Additionally, using RANDOM salts is important. If everyone used the same salt, then users with the same password would also have the same hash. No one wants that.
I have been looking into the options for handling passwords for user login and I had some questions about how to use CRYPT_BLOWFISH. I read about how to implement it but I would like to understand it better before I start to play with it.
so I was planning on doing something like this:
function genBlowfishSalt()
{
//return random string for Salt
}
$hash = crypt($password, '$2a$12$'. genBlowFishSalt());
my questions are as follows:
1) What is '$2a$12$' ?
2) I understand that I would have to store the salt for each user in this case, I suppose it would be acceptable to store it without its own hash? Does the salt get appended to the hashed value?
3) Upon login, how would I run a comparison of hashed values?
4) I also read that there was a concept of needing to store a number of iterations for each user, how does that factor in with the hashing of the password?
Thanks!
1) That is the salt of the hash, you need to make the salt more random (EG different salt for each user for maximum protection)
2) Yes you can store the salt in one field and the salted hash in another.
3) You would to the following steps
Get the password and username from the form
Grab the salt from the database, and then crypt() the password string with that salt
The new string that you get (hashed+salted password) you would then compare that with the database (EG is username = xxx and password = zz9zjz9) and see if any rows are returned, if there are rows returned then you know that it is the right password and log the person in.
4) I'm not sure what you mean, please elaborate!
I'm using salt to encrypt my users' passwords.
I'm using PHP, and here's a quick sample of what happens during a users registers.
Here it is:
PHP code:
// Gives me my random key. My salt generator.
$salt = uniqid(mt_rand());
// My password via what users inputs.
$userpwd;
// Then the encryption. I use a HMAC hash.
$encrypted = hmac_hash("sha256", $userpwd, $salt);
?>
Now that all works for me in my script. But my question is, how do I authenticate a user logging in? The new encrypted password is random, so I can't compare the password from the login form to the saved encrypted password in the database.
I've searched and can't find a solution. Maybe I haven't searched hard enough, but is there a way to decrypt the password? What can I do to authenticate the user with my script?
You need to generate a unique salt for each user's password, and then store the value of the salt somewhere you can retrieve it. For example, by saving the salt to a user table along with the username and hashed password. That way you can extract the known salt and run it through your function when you go to authenticate a user.
Here is an article that contains more information: Storing Passwords - done right!
And for more information about salts: salt-generation-and-open-source-software
You hash the user's inputted password the same way, then compare if the hash is the same as the one you stored.
if (hmac_hash("sha256", $_POST['password'], $saltFromDatabase) === $hashFromDatabase)
$login = true;
You also have to store the salt since it's different for each user. I would also recommend using a second salt that is constant across the application (stored on a hard config file, so that even if the database is compromised, the passwords are still safe).
Note: Hashing is not the same as encryption; It is an irreversible process.
You encrypt the password used to log in and compare it with the encrypted password in your database. :)
You compute the hash of the password user has entered, just as you do when registering them. Note that the code is semi-pseudo code, you need to adapt it to your libraries or functions.
$res = db('SELECT etc FROM users WHERE user=? AND pass=?',
$_POST['user'], hmac_hash("sha256", $_POST['pass'], $salt));
if(numRows($res) > 0) {
// continue with authentication
}
If the salt is stored in the db, then you have to either fetch it first, or do the comparison in the db.
You don't decrypt what you've stored. You hash the entered password and compare it with what was stored at registration. This is because if two hashes match then (to all intents and purposes) you can be confident that the source data matches.
Your salt needs to be constant, and not random. That way when you are checking the password against the hash, all you have to do is hash the input with the salt again, and the resulting hash should be the same as what came out before.
Please try to search StackOverflow before asking a question. Many questions are already answered. For example:
PHP & MySQL compare password
how do I create a mySQL user with hash(‘sha256’, $salt . $password)?
Secure hash and salt for PHP passwords
User Login with a single query and per-user password salt
Non-random salt for password hashes
Hi
I want that nobody can see my password even in database..
So i used hash function like this
$passowrd_hash=hash('shal',$_POST['password']);
Now easily I can store this password_hash value into database. It will be something like in encrypted form.
Now user know its original password he don't know this encrypted password.
Now if he try to login through this original password..He is not able to login.
So is there any method so that it can be decrypted and user can make log in. So he can achieve both security of password as well as login again.
How to do this?
you need to hash the user input password and compare hashes.
Before comparing the posted password by the user with the one in the database, encrypt the posted password the same way as the stored password.
All you need to do is encrypt the password you type in and compare the two; the hash in the database and the one you just encrypted. If they match then the password entered is the right one. I am assuming you are using an algorithm like SHA1.
As already answered, you need to hash the password every time they re-enter it and compare the hash to what is in your database.
You ALSO should look into using salt in your hashing algorithm. There is a good deal of discussion in this question:
Secure hash and salt for PHP passwords
You dont need to decrypt it. You cannot convert back a hash to a plain text, its a one way function. So, basically you hash the input password and compare the two hash:
E.g (pseudo code):-
if hash(password entered by user) == password stored in databse Then
//logged in successfully
else
//login failed
end if
I highly recommend using md5() http://php.net/manual/en/function.md5.php.
When the user signs up, you store:
$password = md5($_POST['password']);
And when the user logs in you check:
if($_POST['password_entered'] == $passwordFromDB) :
// Log user in
else :
// Show error to user
endif;