Actually my problem is hash_password make a diffrent hash each time with same word i dont know how to check my input password with data base
I have a hashed password in my db and im trying to hash my input with same algorythm but i get a diffrent value
$pass = password_hash($_post["pass"] , ARGON2I);
If($pass === $admin["Pass"]){
echo "success";
else
echo "failed";
Assuming the language is PHP:
password_hash creates a unique hash each time even for the same password, this is because there is a random salt used each time. The salt is included in the result of password_hash.
To verify the hashed password use password_verify which uses the salt saved with the hash to compare and return a match or not.
The reason for the unique hashing is so that two users with the same password do not hash to the same value so that knowing one does not allow knowing other user's passwords from a matching hash.
See the linked documentation.
i got my login page, and on it I am also using it to autheticate both username and password.
im stuck on checking the password against that provided in the database. This is because I've done this code in my registration for more security.
$hashed_password = crypt('pass1');
Would anyone be able to assist me in creating a if statement to check the database encrypted password to that of the user provided. I really appreciate it.
in the login page....this is my password post.
$password = htmlentities(trim($_POST['password']));
// let the salt be automatically generated
$hashed_password = crypt('mypassword');
// You should pass the entire results of crypt() as the salt for comparing
if (crypt($user_input, $hashed_password) == $hashed_password) {
echo "Password verified!";
}
EDIT
crypt() takes two paramaters, and second is so called salt (see wiki). If not provided, salt will be autogenerated (hence can be considered random). Salt is used in the whole alghorithm, therefore to compare you want to crypt() user provided password with the same salt you did before otherwise result will be different. To make this possible salt is added to crypt result (at the begining) so providing previous result for comparion purposes simply feeds crypt() with old salt (it is either 2 or 12 chars depending on alghoritm used).
I'm using salt to encrypt my users' passwords.
I'm using PHP, and here's a quick sample of what happens during a users registers.
Here it is:
PHP code:
// Gives me my random key. My salt generator.
$salt = uniqid(mt_rand());
// My password via what users inputs.
$userpwd;
// Then the encryption. I use a HMAC hash.
$encrypted = hmac_hash("sha256", $userpwd, $salt);
?>
Now that all works for me in my script. But my question is, how do I authenticate a user logging in? The new encrypted password is random, so I can't compare the password from the login form to the saved encrypted password in the database.
I've searched and can't find a solution. Maybe I haven't searched hard enough, but is there a way to decrypt the password? What can I do to authenticate the user with my script?
You need to generate a unique salt for each user's password, and then store the value of the salt somewhere you can retrieve it. For example, by saving the salt to a user table along with the username and hashed password. That way you can extract the known salt and run it through your function when you go to authenticate a user.
Here is an article that contains more information: Storing Passwords - done right!
And for more information about salts: salt-generation-and-open-source-software
You hash the user's inputted password the same way, then compare if the hash is the same as the one you stored.
if (hmac_hash("sha256", $_POST['password'], $saltFromDatabase) === $hashFromDatabase)
$login = true;
You also have to store the salt since it's different for each user. I would also recommend using a second salt that is constant across the application (stored on a hard config file, so that even if the database is compromised, the passwords are still safe).
Note: Hashing is not the same as encryption; It is an irreversible process.
You encrypt the password used to log in and compare it with the encrypted password in your database. :)
You compute the hash of the password user has entered, just as you do when registering them. Note that the code is semi-pseudo code, you need to adapt it to your libraries or functions.
$res = db('SELECT etc FROM users WHERE user=? AND pass=?',
$_POST['user'], hmac_hash("sha256", $_POST['pass'], $salt));
if(numRows($res) > 0) {
// continue with authentication
}
If the salt is stored in the db, then you have to either fetch it first, or do the comparison in the db.
You don't decrypt what you've stored. You hash the entered password and compare it with what was stored at registration. This is because if two hashes match then (to all intents and purposes) you can be confident that the source data matches.
Your salt needs to be constant, and not random. That way when you are checking the password against the hash, all you have to do is hash the input with the salt again, and the resulting hash should be the same as what came out before.
Please try to search StackOverflow before asking a question. Many questions are already answered. For example:
PHP & MySQL compare password
how do I create a mySQL user with hash(‘sha256’, $salt . $password)?
Secure hash and salt for PHP passwords
User Login with a single query and per-user password salt
Non-random salt for password hashes
Hi
I want that nobody can see my password even in database..
So i used hash function like this
$passowrd_hash=hash('shal',$_POST['password']);
Now easily I can store this password_hash value into database. It will be something like in encrypted form.
Now user know its original password he don't know this encrypted password.
Now if he try to login through this original password..He is not able to login.
So is there any method so that it can be decrypted and user can make log in. So he can achieve both security of password as well as login again.
How to do this?
you need to hash the user input password and compare hashes.
Before comparing the posted password by the user with the one in the database, encrypt the posted password the same way as the stored password.
All you need to do is encrypt the password you type in and compare the two; the hash in the database and the one you just encrypted. If they match then the password entered is the right one. I am assuming you are using an algorithm like SHA1.
As already answered, you need to hash the password every time they re-enter it and compare the hash to what is in your database.
You ALSO should look into using salt in your hashing algorithm. There is a good deal of discussion in this question:
Secure hash and salt for PHP passwords
You dont need to decrypt it. You cannot convert back a hash to a plain text, its a one way function. So, basically you hash the input password and compare the two hash:
E.g (pseudo code):-
if hash(password entered by user) == password stored in databse Then
//logged in successfully
else
//login failed
end if
I highly recommend using md5() http://php.net/manual/en/function.md5.php.
When the user signs up, you store:
$password = md5($_POST['password']);
And when the user logs in you check:
if($_POST['password_entered'] == $passwordFromDB) :
// Log user in
else :
// Show error to user
endif;
I have a LAMP (PHP) website which is becoming popular.
I played it safe by storing the user passwords as md5 hashes.
But I now see that's not secure; I should have salted the md5 hash - because it's currently possible to decode unsalted md5 hashes using rainbow tables.
What can I do?
I don't want to make everyone type a new password.
You can do a "2 step hashing" instead of creating a hash in a single step.
You could append each password hash to the username, and then hash it again. This will create an undecryptable hash thats salted with unique informations.
The usual process of salting is
salt+PWD -> hash
You could do something like:
PWD -> Hash -> UserID+Hash -> Hash
(Note the UserID was only picked so a unique salt for each double hash exists... Feel free to make your salt more complex)
You can salt them on the fly. Add a piece of code so that, when someone logs in, it does the normal process (computes the MD5 sum of the password and checks it against the stored hash) and if that succeeds, recompute a salted version of the hash from the clear-text password they entered, and store it in the password file.
The only wrinkle is that you'll need to add an indicator for whether each MD5 is salted or not, since you'll have a mix of both for a while. Or, for a minor loss of security, you can check each password salted and unsalted and if either one hits, accept the login. Of course, if you detect that it was unsalted, then you upgrade at that point.
The answer is simple, make sure the keep a record or some sort of flag of which users have passwords on the new system of hashing, when they next login, authenticate them, calculate the new hash, flip the flag.
Now whenever someone logs in and the flag is set, authenticate them with the new hash.
Why not add a new column new_pwd to your user table, which stores the result of md5($originallyHashOfPwd . $salt). You can then precompute new_pwd and once that's done adjust your login checking to compare the result of md5(md5($entered_pwd) . $salt) to what's in new_pwd. Once you're done switching your login checking, delete the old column.
That should stop rainbow-table style attacks.
You can still use a salt. Just calculate another hash from the current hash together with a salt:
$newHash = md5($salt.$oldHash);
For new passwords you then need to use:
$hash = md5($salt.md5($password));
A great way to update the passwords while also making them more secure is to change to using a salted SHA1 for passwords. A SHA1 is harder to create a collision against, and it also has a different string length to MD5. A MD5 is 32 characters long, while a SHA1 is 40 characters long.
To convert these in PHP, you first check the string length of the stored password. If it is 32 characters long, check the password using your old method and afterwards, write a new one using SHA1 to the database.
If I remember correctly, this is precisely how WordPress handled this issue.
Dynamically re-encrypt the passwords when the users log in the next time, i.e. first check whether it’s correct, afterwards encrypt it with a salt and store it again.
You can migrate the passwords by adding a column in your tables to store the new format.
When a user logs in successfully, if the new column is empty, put the stronger password in there and empty out the original column. If the new column has an entry, compare the input to the value in there.
Two options here
Decode the passwords yourself, and re-encode them with a salt (I recommend something a little more fancy than MD5). You should inform the users that you're viewing their passwords unencrypted. It'll probably take a lot of time as well.
Make them retype their passwords, and store those salted and encrypted.
As far as I can see, there is no other way of recovering the passwords.
EDIT:
Although MD5 is a hash and should not be decodable, it can be broken using rainbow tables: with probability almost one, you can find a unique (here's the probability) string of at most, say, 20 characters with a given hash, especially if your character set is limited, say, to alphanumeric. Strictly speaking, this is not decoding. For all practical purposes, it is.
Extra note: producing the rainbow tables, and looking up 1000 password is still going to take a lot of time.
Salt the original hash as mentioned by others. Just a few pointers here:
Salts are better the longer they are. Also if they contain more then just [a-z0-9] but length is better first of all.
If someone already has a copy of your DB and you rehash the same passwords with salt, the rehash the old hash with salt will not work. Instead you really should force users to make a new password.
You should match new passwords (and passwords to be salted) up against various lists of the most commonly used passwords. These are used in "brute force" attacks. Prompt/force the user to change the password.
If you're moving away from MD5, you should go skip simply salting and go to an even better technique called stretching. In particular you should use bcrypt (implemented as PHPASS with php).
Here is a great link on why bcrypt: http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html
And here is a short How To:
1. Download the phpass package: http://www.openwall.com/phpass/
2. Look at test.php for examples like the one below:
require 'PasswordHash.php';
$t_hasher = new PasswordHash(8, FALSE);
$correct = 'plaintextpassword';
$hash = $t_hasher->HashPassword($correct);
$check = $t_hasher->CheckPassword($correct, $hash);
If $check===true (which is the case above) then the password is correct.
If your password is 'hello', you would hash it using HashPassword, put the hash in a database, and when a user logs in, call CheckPassword(userenteredpassword,hashInDb) to see if the password is correct
sadly, your only way is to tell your users to renew their passwords.
you could also generate random passwords, but that is the same hassle.
edit
you could just double encode your stored passwords. so your new salted hashing algorithm would be:
md5(md5($new_password).$salt).':'.$salt
to update your old passwords use
md5($old_password.$salt).':'.$salt
to check if a provided password is correct simply use
list($stored_password, $salt) = explode(':', $salted_password);
if(md5(md5($provided_password).$salt) == $stored_password) {
// you are now logged in
}