How to change my user password in passport? - node.js

I have this functionality for my website:
password change functionality
but I don't know how to make that work?
this is data of one of my user:
{
"_id" : ObjectId("58529494f2c495228479660f"),
"salt" : "42499bf0fdc9280bf8eaac90e2f5e482c24913ef53897bdba67f9482816f3e3d",
"hash" : "c316f0c3ab55a138c2a2e4880058c74810b9ed63c8fde8d6c992c80d0cd56ecab6bcc3c090fcab8fa4ebff61e68c457793e683bcbea9b7af7afa52e544e4b6cc4393b5b42c2e1c7e74dbd1a5c5fcd710563060dfff0dc4f30f2bb2f164bacccb6866add883466bb38d7c65992560c5f34936eda191749d4bc39af5c3c177aa2af0aa947bec642586210284285c7a959d6fcd7ae8ff2000792210f4ea8d1627df9a855a074d0620a3aaf7037264874a88207023b596d68f199939c2afe1aedf60f9bd73ecbf27fa0b6285e8157b89b4bc26e9838eed53b4082e330e01d5f11266b920d48f18492dc25404b920eab3f258eda0a21f40ea6b3496ce27358c1a67b58807169ac8ecd19d73069f72cdabab89e4755236911f9a641c3cc1858c1c3379c6041a6422fca985ffff932a14490c1cede3a04a6ef88e9d3bcf894fac5865db48fa253796041e682d7e132d70cefd53a610dfb761e30382444fdfce6cb7e7c79c61e14e6a36ebfbe2d20e4aed88ec6e885a45d951959e186464eb6c4ee9501e17d029be8afa4ed2d3b3142639872edef993a0c45dc717e36cd6022bcb25991df499afc90d35cf803a97a043f45e392bfd4c12f6b959a58d3d18017cea3f8d63bf3c6a5aded3d5aa1269054ee5c9a32bc2e10c251fc12afb5d60f22b8723d79f792398f7bf4fe791b29d6a24438399d28bc9197ea95cf7d6cc22e64fe1a954de",
"username" : "Isaac",
"__v" : 0,
"email" : "isaac#gmail.com",
"name" : "Isaac"}
In order to reset the password we need to:
1- want user to put their current password
2- if that was true, we should delete the current password and replace the new hashed password with that
but I do not know how to do that, I can get their current password, new password and repeated password, but I do not know how to compare their password with current one.
I will be really greatful if anyone can help me.

You have to compare tow hash values of old password and new password. First of all make a hash value of your new password using the given salt. and then compare with your old one.

So the idea basically is to take the user's new password , generate the salt, which will be used to encrypt the password and then pass the salt and the new password to generate the hash which is a combination of your new password and the salt you generated.
so first generate the salt and then generate the hash.
Next time when the user logins again get the salt from database then use the password specified by the user with the salt and generate the hash. Compare the two hash(one from the database and one user gave).If equal log him in else incorrect password.
Go through the documentation of crypto for better understandibity.

Related

Cant use original password, after hash (pgcrypto)

I have succeded in hashing my password for my admin user, the problem is now that i can no longer use the original password to log in (no errors, exept the correct response for invalid passwords). I am able to to select the user table and just copy in the hashed password from PGadmin (using PostgreSQL). Im not really sure where to go from here.
1. I think i have to get my login form to recognize the hashed password, and somehow match it up with the original.
2. figure out how to add salt and pepper to the hash
I am not looking for the exact solution, but maybe some hints to get further :)
Code
function createAdmin(){
var usertypeid = null;
const type = "adm";
pool.query(`INSERT INTO usertype(type) VALUES ($1) RETURNING userTypeId;`, [type], function (error, results) {
if (error){
throw error;
} else{
usertypeid = results.rows[0].usertypeid;
console.log(usertypeid);
insertAdmin();
}
});
function insertAdmin(){
pool.query(`
INSERT INTO users(
usertypeid, userName, email, password)
VALUES($1, 'admin', 'admin#admin.com', CRYPT('admin', GEN_SALT('md5')));`, [usertypeid]);
}
}
As mentioned in the comments, don't use MD5 anymore as it's deprecated a long time ago.
The other thing is that hashing is different from encrypting. You can't decrypt a hash like you do with a cipher.
What should happen is that you run the plaintext through the hashing algorithm and then see if it matches the original hash computed at the beginning.
For Node.js there are good libraries out there like bcrypt which can be used to simplify the process and perhaps make it more secure.
If you insist to perform your own validation procedure, then it should be like the following:
Get the user's password from the login form
Run it through the hashing algo of your choice (no MD5 please)
Query the database for the hashed password
Compare if the hashed password from the login form is the same as the one in the DB
As the docs say, you want something like this (renaming table and columns to match your example):
SELECT (password = crypt('entered password', password)) AS pswmatch FROM users where username='admin';
The value stored in users.password from your insertion is a combination of the algorithm, the salt, and result of hashing the actual password with that algorithm and salt. Now you pass users.password into crypt again, so that it can extract from it the algorithm and the salt. It then uses that algorithm and salt to recompute the hash of the alleged password. If the re-computed value matches the stored value, then the alleged password is correct.

Finding one parameter using another in a document MongoDB

For example, I have a document:
{
"_id": "59f70449ee870802b43de37c",
"email": "johnsmith#gmail.com",
"password": "test123",
"__v": 0
}
How do I access 'password' by only knowing 'email'? I'm trying to write it so that once I find email, I will then use it to check its password.
As #Neil suggested you can use find query to get the password .
You said your password is decrypted . So first thing check out from where the crypt algorithm was applied in password . Identify the hashing algorithm applied in password .
why you need to fetch password .I think to compare to some send password from frontend for login purpose, it is always critical not to fetch it in frontend .
This is the strategy you can follow .
1) Check which crypto is applied to password in mongodb , the password may be changed at time of saving by backend application.
2) Then when you want to compare password you can convert sent password by same algorithm and compare the both password.
most of the time we use an algorithm which can not be converted to original password , so this is the strategy .

How does bcrypt know which hashed method has been used

I have a key which is salted and hashed using SHA-256. if I use bcrypt for compare this, Dose bcrypt know which hashing method has been using for hash the key. Or I need to define the method in somewhere.
bcrypt.compare("string","base256-hashed-and-salted-key", function(err, res) {
// res == true
});
The first parameter is the string you're wanting to check (e.g. password from a login form). The second parameter is the hash value you got as a result of bcrypt.hash() that you retrieve from a database or some other data store.
bcrypt does not care if the string you hash is pre-hashed with SHA-256 or if it's just the plain text password itself. bcrypt hashes any kind of data.

Yii2 - how to properly use generatePasswordHash()?

I'm trying to generate a random password for a user in a Yii2 application.
I have the following code:
$rand_password = Yii::$app->security->generateRandomString(8);
$user->password = Yii::$app->security->generatePasswordHash($rand_password);
After that I save the $user model and the hashed string is also saved in the database. However, I cannot log in with the $rand_password string after that as I'm getting Invalid Password error message.
The generatePasswordHash description says that the hash is generated from the provided password and a random salt string. Indeed, I called the function with the same password string several times in a row and I got different result every time. So my question is, if that salt string is random and different every time, how can I use this function at all to verify passwords? When I try to login I call the same function with the password string provided by the user but this time the salt will be different so I'm unable to produce the same hash as before? What am I missing here?
Well, after hours of debugging and looking for resources and explanation, it turns out the the user module I'm using: https://github.com/amnah/yii2-user is actually automatically hashing the passwords before saving them in the database. In other words, as soon as you call:
$user->password = SOMETHING;
that SOMETHING is automatically going through the generatePasswordHash() function upon save. My problem was that I was dropping it in there in my code as well so basically the password got hashed twice.

How to match crowd database passwords?

I would like to have a piece of code that is able to check if a given password match the one stored in the crowd cwd_user table.
The passwords in that table starts with "{PKCS5S2}..." and I found in the link below that crowd is using the PBKDF2 algorithm:
The default is "Atlassian Security", which is currently a dumb wrapper around Bouncy Castle's implementation of PKCS 5 version 2 (aka PBKDF2), using a random 16 byte salt, 10, 000 iterations, and generating a 256-bit hash as the final output
https://answers.atlassian.com/questions/235858/password-security
Is anybody able to provide me a method I can use to match that password?
For example, if I create a user "toto" with password "1234", I get the following row in my database :
user_name credential
------------- -------------------------------------------------------------------------
toto {PKCS5S2}m+u8ed1RKRew3jjHPilZw0ICL6BG/qyeN+kVRRS9nsO+VK7Q5I0vCK3gLvCFWC3n
I would like a method such that:
public String getHash(String rowPassword){
// ?????
}
where
getHash("1234") returns "{PKCS5S2}m+u8ed1RKRew3jjHPilZw0ICL6BG/qyeN+kVRRS9nsO+VK7Q5I0vCK3gLvCFWC3n"
As a Crowd customer, you have access to the class AtlassianSecurityPasswordEncoder which is exactly that.
The underlying encoder chooses a random salt, ignoring the one passed in, so encodePassword won't give you the same hash each time. Use isPasswordValid to confirm that the password and hash match.

Resources