I have succeded in hashing my password for my admin user, the problem is now that i can no longer use the original password to log in (no errors, exept the correct response for invalid passwords). I am able to to select the user table and just copy in the hashed password from PGadmin (using PostgreSQL). Im not really sure where to go from here.
1. I think i have to get my login form to recognize the hashed password, and somehow match it up with the original.
2. figure out how to add salt and pepper to the hash
I am not looking for the exact solution, but maybe some hints to get further :)
Code
function createAdmin(){
var usertypeid = null;
const type = "adm";
pool.query(`INSERT INTO usertype(type) VALUES ($1) RETURNING userTypeId;`, [type], function (error, results) {
if (error){
throw error;
} else{
usertypeid = results.rows[0].usertypeid;
console.log(usertypeid);
insertAdmin();
}
});
function insertAdmin(){
pool.query(`
INSERT INTO users(
usertypeid, userName, email, password)
VALUES($1, 'admin', 'admin#admin.com', CRYPT('admin', GEN_SALT('md5')));`, [usertypeid]);
}
}
As mentioned in the comments, don't use MD5 anymore as it's deprecated a long time ago.
The other thing is that hashing is different from encrypting. You can't decrypt a hash like you do with a cipher.
What should happen is that you run the plaintext through the hashing algorithm and then see if it matches the original hash computed at the beginning.
For Node.js there are good libraries out there like bcrypt which can be used to simplify the process and perhaps make it more secure.
If you insist to perform your own validation procedure, then it should be like the following:
Get the user's password from the login form
Run it through the hashing algo of your choice (no MD5 please)
Query the database for the hashed password
Compare if the hashed password from the login form is the same as the one in the DB
As the docs say, you want something like this (renaming table and columns to match your example):
SELECT (password = crypt('entered password', password)) AS pswmatch FROM users where username='admin';
The value stored in users.password from your insertion is a combination of the algorithm, the salt, and result of hashing the actual password with that algorithm and salt. Now you pass users.password into crypt again, so that it can extract from it the algorithm and the salt. It then uses that algorithm and salt to recompute the hash of the alleged password. If the re-computed value matches the stored value, then the alleged password is correct.
Related
I am hashing password using nodejs "bcrypt" module. this is my hashing function...
and here i am calling my function
But in databases password is not saving. In databases field is empty every time when i register. How can i fix it?
Here is database entry record
You have nothing saved inside your database because you choose to use the asynchronous bcrypt hash function.
It should work if you use the synchronous one. ( replace your bcrypt hash by this one)
let hash = bcrypt.hashSync('password', 10);
return hash;
I have this functionality for my website:
password change functionality
but I don't know how to make that work?
this is data of one of my user:
{
"_id" : ObjectId("58529494f2c495228479660f"),
"salt" : "42499bf0fdc9280bf8eaac90e2f5e482c24913ef53897bdba67f9482816f3e3d",
"hash" : "c316f0c3ab55a138c2a2e4880058c74810b9ed63c8fde8d6c992c80d0cd56ecab6bcc3c090fcab8fa4ebff61e68c457793e683bcbea9b7af7afa52e544e4b6cc4393b5b42c2e1c7e74dbd1a5c5fcd710563060dfff0dc4f30f2bb2f164bacccb6866add883466bb38d7c65992560c5f34936eda191749d4bc39af5c3c177aa2af0aa947bec642586210284285c7a959d6fcd7ae8ff2000792210f4ea8d1627df9a855a074d0620a3aaf7037264874a88207023b596d68f199939c2afe1aedf60f9bd73ecbf27fa0b6285e8157b89b4bc26e9838eed53b4082e330e01d5f11266b920d48f18492dc25404b920eab3f258eda0a21f40ea6b3496ce27358c1a67b58807169ac8ecd19d73069f72cdabab89e4755236911f9a641c3cc1858c1c3379c6041a6422fca985ffff932a14490c1cede3a04a6ef88e9d3bcf894fac5865db48fa253796041e682d7e132d70cefd53a610dfb761e30382444fdfce6cb7e7c79c61e14e6a36ebfbe2d20e4aed88ec6e885a45d951959e186464eb6c4ee9501e17d029be8afa4ed2d3b3142639872edef993a0c45dc717e36cd6022bcb25991df499afc90d35cf803a97a043f45e392bfd4c12f6b959a58d3d18017cea3f8d63bf3c6a5aded3d5aa1269054ee5c9a32bc2e10c251fc12afb5d60f22b8723d79f792398f7bf4fe791b29d6a24438399d28bc9197ea95cf7d6cc22e64fe1a954de",
"username" : "Isaac",
"__v" : 0,
"email" : "isaac#gmail.com",
"name" : "Isaac"}
In order to reset the password we need to:
1- want user to put their current password
2- if that was true, we should delete the current password and replace the new hashed password with that
but I do not know how to do that, I can get their current password, new password and repeated password, but I do not know how to compare their password with current one.
I will be really greatful if anyone can help me.
You have to compare tow hash values of old password and new password. First of all make a hash value of your new password using the given salt. and then compare with your old one.
So the idea basically is to take the user's new password , generate the salt, which will be used to encrypt the password and then pass the salt and the new password to generate the hash which is a combination of your new password and the salt you generated.
so first generate the salt and then generate the hash.
Next time when the user logins again get the salt from database then use the password specified by the user with the salt and generate the hash. Compare the two hash(one from the database and one user gave).If equal log him in else incorrect password.
Go through the documentation of crypto for better understandibity.
I have a key which is salted and hashed using SHA-256. if I use bcrypt for compare this, Dose bcrypt know which hashing method has been using for hash the key. Or I need to define the method in somewhere.
bcrypt.compare("string","base256-hashed-and-salted-key", function(err, res) {
// res == true
});
The first parameter is the string you're wanting to check (e.g. password from a login form). The second parameter is the hash value you got as a result of bcrypt.hash() that you retrieve from a database or some other data store.
bcrypt does not care if the string you hash is pre-hashed with SHA-256 or if it's just the plain text password itself. bcrypt hashes any kind of data.
I would like to have a piece of code that is able to check if a given password match the one stored in the crowd cwd_user table.
The passwords in that table starts with "{PKCS5S2}..." and I found in the link below that crowd is using the PBKDF2 algorithm:
The default is "Atlassian Security", which is currently a dumb wrapper around Bouncy Castle's implementation of PKCS 5 version 2 (aka PBKDF2), using a random 16 byte salt, 10, 000 iterations, and generating a 256-bit hash as the final output
https://answers.atlassian.com/questions/235858/password-security
Is anybody able to provide me a method I can use to match that password?
For example, if I create a user "toto" with password "1234", I get the following row in my database :
user_name credential
------------- -------------------------------------------------------------------------
toto {PKCS5S2}m+u8ed1RKRew3jjHPilZw0ICL6BG/qyeN+kVRRS9nsO+VK7Q5I0vCK3gLvCFWC3n
I would like a method such that:
public String getHash(String rowPassword){
// ?????
}
where
getHash("1234") returns "{PKCS5S2}m+u8ed1RKRew3jjHPilZw0ICL6BG/qyeN+kVRRS9nsO+VK7Q5I0vCK3gLvCFWC3n"
As a Crowd customer, you have access to the class AtlassianSecurityPasswordEncoder which is exactly that.
The underlying encoder chooses a random salt, ignoring the one passed in, so encodePassword won't give you the same hash each time. Use isPasswordValid to confirm that the password and hash match.
I'm trying to save passwords in my database, and I want to hash them with either MD5 or SHA2.
I googled it and found a lot of very different topics with long lines of code all the time, I don't know why.
Isn't it possible to store a password with one line of code with crypto.js ?
e.g.
var crypto = require('crypto-js')
collection.insert(user: "my user", password: crypto.sha2("my-password")
So later, I can do the simplest auth ever and process the result of this db request:
db.findOne({use:"my user", password: crypto.sha2("my-password") etc...
You shouldn't use general-purpose hash algorithms such as SHA-2 for storing passwords. See: http://codahale.com/how-to-safely-store-a-password/