I'm trying to import users credentials from one database schema to another one without users needing to create a new password, So first user table (the one I need to import to the new site) uses sha256+salt(I think) and my new site is using md5+salt (I think) I have access to all files and stuff so I could locate the salt that's being used if I can somehow reverse engineer the sha256 to make it md5?
Is there a way to do this? if so how would I approach it?
an example of the password would be:
old site: e3e922af8a36de975983b075b3bf5336bbb26c8008aa5d9b39aef8d85cb7eb32
new site: $S$Dbj.yBTjHV97QNLHwuoykWxzpNL9bxxFl4b8uoP1u1rJzCyDZb.e
I'll appreciate any input, Thank you!
Update: new site uses base64encode + salt which I know what is, just to be clear I'm not trying to actually be able to see their password in plain text, Can I convert sha256 -> base64encode with some mysql commands or something if I know the salt?
Unless you're prepared to crack their password, no, you can't convert as SHA2-256 hash to an MD5 one. You need to know the content that generated the hash in the first place.
When migrating from one hashing type to another the best plan is to normalize all your password hashes into a consistent form first and the Modular Crypt Format is the most widely supported.
If you can wrangle your old hashes into that form then you should be able to use them with password_verify. You can also update user passwords as they log-in by re-writing them with password_hash which uses Bcrypt by default.
Over time you can stomp out old SHA2-256 and MD5 passwords and limit your exposure.
Related
I need some help figuring out how to solve this, here's the thing:
I have imported a list of users from a csv file in my database, however, I want to create some new passwords for all of them using bcrypt, since I'm using laravel and I use bcrypt to store passwords when I create or update a password value from there. So, I don't know if there's any possibility to make a SQL query to hash them all, create a script, or hash them one by one. I'm kinda new to using advanced phpmyadmin functions. All help will be very appreciated.
Thanks in advance
use this function to hash your password
I am very sorry if this has been answered before, but I have searched for 2 days and cannot find the answer. I have 2 databases and I need to import users from the current database to a new one. The new database is for a chat system that has recently bee installed and I would like all users to be added to it.
So I thought I would simply manually add the users in the new database using information from phpmyadmin. But the encryption for the password is a different format and will not work.
For example in the first database the encryption is:
z70I9QINffX2Hh7FxQ==
In the second database the format is:
3eb5c61f784aa3c2e11d879382387d420f7c4ebf
Neither seem to be MD5 and I can't find out which type it is.
I know this is a stretch but does anyone know of a way to detect the type of encryption and how I can take a password, such as 'password' and encrypt it using the correct encryption type?
Thank you
You could try using a generic password for the root user, or logging into mysql as the root user & creating another user manually. Not sure what kind of access you have, but that's been the best bet in my experience.
Hope it helps.
The password encryption mechanism would be stored in the application's code. The 1st example looks like Base64 but can't be sure without comparing others. The 2nd example appears to be SHA1/MySQL5 Sha1(Sha1(pass)).
You're going to have to research the apps that are using these databases and to determine how it's creating and storing these account passwords in the database. Either way, you are trying to link 2-dbs that have different password mechanisms, that might require standardization of the passwords which might mean a password resets.
There is a harder way, you have a database of one-way hashed passwords. It will require a bit of focus in scripting... You would have to generate hashes for the cryptographic hashes used and compare to your users passwords to get the plaintext password. Then you recreate their accounts in the new DB using their passwords to create the new user with same credentials.
I'm working with an app that provides basic username and password authentication to access their API. Specific access to this api would be on an user-by-user basis and their rights in the external application. What is the best way to store these external credentials, and what is the best say to pass them back to the app?
I'm currently working with Node.js using Express, and MySQL.
I'm looking for specific technologies to possibly use? I'm a bit new, and was trying to hash them and save them to the database, but then I don't know how to send it back to the application...
Definitely don't try to roll your own security, invest in an a proper, industry tried & tested, user authentication service like:
Okta
AWS Cognito
Azure AD B2C
Auth0
And the likes, you won't regret it.
Hashing the password to store it in the database is usually the least you should do to keep this information safe. It is necessary however that the way you hash it is also an approved and secure way, so not every hashing algorithm is useful here. There are a lot of ways to do this, you should always rely on something approved, maybe even something open source so that a community can check wether its really secure or not. Usually there are security packages for every operating system that you can use that implement those things properly, you should never try to code your own stuff here in my opinion. You could check for sha-256 or sha-512 implementations for example, just to give you well known and approved algorithms that I assume often do the job.
The question I'm asking myself is why you would want to send the information back to the frontend because in most cases this should not be necessary. Once hashed in the database you should never be able to retrieve the original password anyway. If you want to verify if a user entered a correct password, you can easily check that fully on the backend side. This can be done by sending the credentials entered in the frontend to the backend (this is a security problem already which is why you should use something like ssl), then hash the password with the exact same algorithm you use to hash passwords initially and compare this hash with the hash that was saved in the database for the given user. This is a simple equals check that tells you if the credentials were correct or not and therefore telling you if the login should be successful or not. Then there is no way to send the information bsck to the frontend.
Also I'd advise to use a random string value for every new password and combine it with the password before the hashing function to create a unique string. I think this is referred to as a salt value. This way two passwords won't have the same value in the database even if they are actually the same password, which makes it more secure. When you use a salt value you have to save it as plain text in the database with the rest of the indormation though so you can use it for the equal check again later. In this case you can load the salt value of the user and combine it with an entered password again, hash it with your algorithm and check if the entered and saved hashes are equal. Both hashes should only be equal if they were generated with the same salt, password and hashing algorithm.
There is a lot more that you can do to secure this stuff, this is just a basic example of how you could achieve a relative secure login mechanism with relatively low amount of effort. It always depends on what you are trying to do, if it's a simple home stuff or maybe something for a big company and so on. If it affects a high amount of users with information that needs to be extremely secure I would recommend to use professional toolsets or services ehich specialize in exactly those kind of things.
Edit
nodejs crypto implementation
For the hashing functionality you can checkout nodejs' internal crypto service that brings a ton of functionality with it. Here's some code to give you an example of how creating a hash with a salt can look like.
var sha512 = function (password, salt) {
// create hmac instance with algorithm and salt
var hash = crypto.createHmac('sha512', salt);
// here comes the password that you want to hash
hash.update(password);
// get the hashed value
var value = hash.digest('hex');
// keep the salt for future references
return {
salt: salt,
passwordHash: value
};
};
passport authentication library
If you want to implement a real authentication you can have a look into Jared Hansons passport library. It helps you to implement all the stuff that is usually quite tricky like keeping the user logged in, making sure certain http requests are only possible if the user is logged in, keeping track of the user state or sending an authentication token to the frontend. It's still tricky to begin with, but it is still way easier than doing this on your own. Also he brings an insane amount of so called strategies with it that you can install and use, for example for oauth authentication with facebook, google, etc.
I've got a couple of questions around storing/retrieving passwords with MySQL / Visual Studio 2010 (VSTO Visual Basic). I hope they are straight forward!
SHA-2 QUESTION
I'm making a table using MySQL (through the PHPMyAdmin Interface) to store just two columns: User ID & Password. After reading through SO and a bunch of other resources it seems that storing the password using SHA-2 encryption and salting is a viable option. Is this correct?
VISUAL STUDIO 2010 QUESTION
I am building a VSTO project in Visual Studio 2010 and will be accessing the data in the table using Visual Basic - how can I encode a user-inputted password with the SHA-2 algorithm? I can't seem to find any 'current' guides on this process. I'd imagine I have to download/install an extension that can process the SHA-2 algorithm into VS2010. The process here is, I have a 'login system' built within Excel but I want to verify the username/password combination by comparing it to the already existing data in the MySQL table.
SALTING QUESTION
Also, Salting is HIGHLY recommended practically everywhere I read so I decided to use a random string like 's#w0s9w%$x" or something like that and obviously store this/use it every time I need to encode + match a password to the database. Is this secure enough? How would you use a different salt word for every user but keep track of this? Would you simple save the username/salt-word combination in another table and extract it later?
EDIT: Added more info!
Don't try to create your own password hashing scheme. Instead use a well known one. Generally there are three options: Bcrypt, Scrypt, and PBKDF2. These are designed by security professionals, and have been around for a long time and have not been broken. Implementations are available for many languages.
For the salting question, you have the basic idea right. Usually the salt is stored with the password in the database. The salt is not considered to be a secret, but it should be unique for every user. Bcrypt hashes already contain the salt in itself, so you don't need to worry about that.
Related answer in security.se: https://security.stackexchange.com/a/6415/20774
A nice article on the subject of password hashing: http://crackstation.net/hashing-security.htm
I am currently planning a project in which revision safety of the database data is important. This means: we want to be able to proof that the data in the database was not tempered with since it was imported - no user changed the value, no db admin logged into the database and changed it.
What is the best way to achieve this?
Till now, I like the idea of signing the database row best: I create a MD5 hash of all the fields in the row, then send it to a timestamping signing server (have a look on wikipedia) and store the created signature with the row. From this time on, we can prove that no one changed the row since this stamp was created.
Any better ideas? And, if you like the idea as much as I do, what timestamp server should I use and how can I access it? The Verisign Timestamp Server seems to be used a lot, but I could not find any documentation on how to use it "raw", e.g. without the Microsoft code signer tools etc.
Thank you!
Time stamp servers are usually not free-to-use.
Alternatively you may use an HMAC-MD5 (or HMAC-SHA1) instead and use a password that is only known to the authorized user. The password is of course not directly used, better via PKCS#5 or at least hashed with a seed. Without the password noone can verify or recreate the HMAC-MD5