Technically speaking is there any difference to these two login flows
The first:
Find user by email/username/etc.
Use a library like bcrypt to compare plain text password to hashed one
Return user if comparison true / return invalid credentials if comparison false
The second:
Hash the plain text password sent by user
Search for user by both the email and hashed password
If user found return him to the client / if user not found return invalid credentials
Related
I am trying to send an email through telnet using a SMTP server through Telnet
For AUTH PLAIN authentication I can use this string that is the username and password combined (ex: dGhpc0lzTXlVc2VybmFtZVRoaXNJc015UGFzc3dvcmQ=)
Now I need to use AUTH LOGIN to authenticate instead of AUTH PLAIN, which means I need the username and password separated.
My question is:
How can I "divide" this string?
Or, is there a way to find out the username and password if I authenticated through LOGIN PLAIN so that I can later use it in AUTH LOGIN?
First of all, you should use openssl instead of telnet. If you don't have the username and the password separately to start with, you base64-decode the PLAIN string, split it at the null character, and then base64-encode the username and the password separately.
The string used by AUTH PAIN is simply a combination of the username and the password encoded in base 64. To divide it, we can decode from base 64 and try to divide them
The first part of the string is the username and the second is the password
I am trying to use the Pimcore password datatype. It is working fine and the password is stored as encrypted data.
Now I need to check the correct username and password. I could not match the encrypted password. I want to get the username and password using an API request. If the username and the password is correct then return value.
The password is hashed before it is stored to the database. Have a look at the password class within this path:
pimcore/models/DataObject/ClassDefinition/Data/Password.php
If you want to compare the hashed password within the database then use the functions of the password datatype. The password to compare also has to be hashed.
Have a closer look on the functions calculateHash() and verifyPassword() within the class. You should be able to compare passwords by using those functions.
Here is an example :
$user = User::GetByEmail($email, ['limit' => 1, 'unpublished' => false]);
$classDefinition = ClassDefinition::getById(User::classId());
/** #var \Pimcore\Model\DataObject\ClassDefinition\Data\Password $passwordFieldDefinition */
$passwordFieldDefinition = $classDefinition->getFieldDefinition('password');
$verified = $passwordFieldDefinition->verifyPassword($password, $user, false);
I have completed login functionality using Auth middleware where is used a Bcrypt encryption method. Login functionality is works fine. But we need to handle set password functionality with having old password need to validate. But everytime Bcrypt method change the password string so the previous store bcrypt string of password in table is not match with the manually enter password in the set password form. So how to validate old password field if it will not match with existing saved passoword in the table.
$credentials = request(['email', 'password']);
$user=Auth::attempt($credentials);
You are using Laravel so you should use Hash in order to deal with passwords.
Here is all you need to know about it: https://laravel.com/docs/6.x/hashing#basic-usage
In short you can create and verify the passwords in following ways:
Create hashed password to store in DB:
$hashedPassword = Hash::make($request->password);
Verify against existing password
if (Hash::check('entered-password-by-user', $hashedPassword)) {
// The passwords match...
}
Of course dont forget to include Hash facade: use Illuminate\Support\Facades\Hash;
md5 is ancient and very vulnerable way to go if you want to hash your passwords with it. It is HIGHLY DISCOURAGED!
I am working on ATG11.2 , my requirement is as below:
User will click on forgot password button, a link with encoded user id and a temporary password will be sent to email. User will click on the link sent in email and will be redirected to ResetPassword.jsp where he will get an option to fill temporary password which is sent in email, new password and confirm password respectively
I am using ForgotPasswordHandler for this implementation. I have read that forgotpasswordhandler method replaces the password property with the new generated password. Therefore m storing the input box value of temporary password in ProfileFormHandler.value.oldpassword
The values are as below:
Temporary Password :
New Password:
ConfirmPassword
But , when I am debugging handleChangePassword method in ProfileForm it is not able to compare the passwords properly. Please suggest if my approach is correct , or what do I need to override in gmethod if any required.
ATG stores passwords in encrypted format.
You need to store your oldPassword in encrypted format too. The passwords will not be equal unless both the passwords are hashed and are same.
Using Apache mod_auth_basic and mod_authn_dbd you can authenticate a user by looking up that user's password in the database. I see that working if the password is held in clear, but what if we use a random string as a salt (also stored in the database) then store the hash of the concatenation?
mod_authn_dbd requires you to specify a query to select that password not to decide if the user is authenticated of not. So you cannot use that query to concatenate the user provided password with the salt then compare with the stored hash.
AuthDBDUserRealmQuery "SELECT password FROM authn WHERE user = %s AND realm = %s"
Is there a way to make this work?
Looking at the Password Formats for Basic Auth it seemed that I could make this work if the hash is done using the apr_md5_encode function.
Found another question that relates to this and links to a Java implementation. I used that implementation with a small change to calculate the database hash inside my website normal user-creation flow. After this i could use mod_authn_dbd with this query:
AuthDBDUserRealmQuery "SELECT CONCAT('$apr1$',password_salt,'$',password_hash) FROM users WHERE user = %s AND realm = %s"