this is my code, it works, except for the passwords, how would I fix this? I know I should do something with md5 but I couldn't get found solutions to work with my code. I really need to make this right and safe, please assist
//get the posted values
$username=htmlspecialchars($_POST['user_name'],ENT_QUOTES);
$password=htmlspecialchars($_POST['password'],ENT_QUOTES);
$check_for_username = $mysqli->query("SELECT username FROM q4jli_users WHERE username='$username' AND password=MD5('$password')");
if (mysqli_num_rows($check_for_username)) {
echo "yes";
} else {
echo "no";
}
Thanks in advance
MD5 is outdated and no longer a sufficient method of password encryption. You should investigate salted hashes using more modern encryption algorithims.
food for thought:
bcrypt
First of all, you need to make sure that a user's password is encrypted into the database with MD5. If not, then you can use this code:
$mysqli->query("INSERT INTO q4jli_users (username, password) VALUES ('$username', MD5('$password'))");
Then, when seeing if a user enters the correct password, you need to encrypt it to MD5 and then run a query in the database:
$check_for_username = $mysqli->query("SELECT username FROM q4jli_users WHERE username='$username' AND password=MD5('$password')");
Related
I was doing a typo3 upgrade from version 7 to 10. But got stuck with the fe users login section. Read in the documentation as salted passwords will automatically gets converted to argon2i hash values. This works for be users correctly. I have got a custom extension, where I will check whether the plaun text password is same as that of the password hash value in the database. My code is
if ($settings['feUserPid'] == $user['pid']) {
$mode = 'FE';
$success = GeneralUtility::makeInstance(PasswordHashFactory::class)
->getDefaultHashInstance($mode)
->checkPassword($request->getArgument('password'), $user['password']);
}
Even if the password is correct, the value of $success is always FALSE. The passwords in the database is not argon2i hash value.
How can I fix this problem? Has anyone faced an issue like this?
It's a while ago for me but I used
$hashInstance = GeneralUtility::makeInstance(PasswordHashFactory::class)->getDefaultHashInstance('FE');
$hashedPassword = $hashInstance->getHashedPassword($x);
Your method should work. Did you verify the setting of [FE][passwordHashing][className] in the installtool?
I have completed login functionality using Auth middleware where is used a Bcrypt encryption method. Login functionality is works fine. But we need to handle set password functionality with having old password need to validate. But everytime Bcrypt method change the password string so the previous store bcrypt string of password in table is not match with the manually enter password in the set password form. So how to validate old password field if it will not match with existing saved passoword in the table.
$credentials = request(['email', 'password']);
$user=Auth::attempt($credentials);
You are using Laravel so you should use Hash in order to deal with passwords.
Here is all you need to know about it: https://laravel.com/docs/6.x/hashing#basic-usage
In short you can create and verify the passwords in following ways:
Create hashed password to store in DB:
$hashedPassword = Hash::make($request->password);
Verify against existing password
if (Hash::check('entered-password-by-user', $hashedPassword)) {
// The passwords match...
}
Of course dont forget to include Hash facade: use Illuminate\Support\Facades\Hash;
md5 is ancient and very vulnerable way to go if you want to hash your passwords with it. It is HIGHLY DISCOURAGED!
is there any default implementation for password history? i'm trying to implement that feature on my project with identity so i have added password history table which contain password hashes. when user change password usermanager generate hash for password.
var passwordHash = _userManager.PasswordHasher.HashPassword(user, newPassword);
if this hash does not inserted in password history table it allow to change password otherwise return error
but the problem is each time when generating hash for the specific password it generate random hashes which cannot be compare also
var passwordHash = _userManager.PasswordHasher.HashPassword(user, newPassword);
hash differ from
_userManager.ResetPasswordAsync(user, request.Token, password);
generated password hash.
May be i'm trying to do this in wrong way. what was the mistake i have done implementing password history?
thanks
Different hashes every time - it's how default implementation IPasswordHasher works. Look at this answer for more details: https://stackoverflow.com/a/20622428/6104621.
So, for your implementation password history, you can either implement IPasswordHasher or just verify a new password with all stored passwords hashes using method
PasswordVerificationResult VerifyHashedPassword(TUser user, string hashedPassword, string providedPassword);
Just for example:
var passAlreadyExist = user.UserHistory
.Select(h => h.PasswordHash)
.Distinct()
.Any(hash =>
{
var res = manager.PasswordHasher.VerifyHashedPassword(user, hash, password);
return res == PasswordVerificationResult.Success;
});
where UserHistory - it's custom table with some user info like password, email, name...
Using Apache mod_auth_basic and mod_authn_dbd you can authenticate a user by looking up that user's password in the database. I see that working if the password is held in clear, but what if we use a random string as a salt (also stored in the database) then store the hash of the concatenation?
mod_authn_dbd requires you to specify a query to select that password not to decide if the user is authenticated of not. So you cannot use that query to concatenate the user provided password with the salt then compare with the stored hash.
AuthDBDUserRealmQuery "SELECT password FROM authn WHERE user = %s AND realm = %s"
Is there a way to make this work?
Looking at the Password Formats for Basic Auth it seemed that I could make this work if the hash is done using the apr_md5_encode function.
Found another question that relates to this and links to a Java implementation. I used that implementation with a small change to calculate the database hash inside my website normal user-creation flow. After this i could use mod_authn_dbd with this query:
AuthDBDUserRealmQuery "SELECT CONCAT('$apr1$',password_salt,'$',password_hash) FROM users WHERE user = %s AND realm = %s"
The PasswordHasher takes in a generic TUser and then takes the user's object for hashing and verifying, something like this:
var result = hash.VerifyHashedPassword(user, HashedPassword, Password);
string HashedPassword = hash.HashPassword(user, Password);
So I am assuming the user data is used to hash the password and then to verify. But doesn't this mean I need to rehash the password? If so, wouldn't that mean each time the user changes any of his account info he also needs to re-enter his password or is there a way around it where I can rehash it without asking the user for his password?