CakePHP 3: Encrypt/decrypt password - cakephp-3.0

How can I show the decrypted user password in an edit form?
I am using DefaultPasswordHasher for Hashing passwords while registration of users using this:
protected function _setPassword($password) {
return (new DefaultPasswordHasher)->hash($password);
}
It works well and the password is encrypted...
But when I used user table in view page and edit page it shows the encrypted password. So how can I decrypt the password in the controller and when edit page it also decrypt and store in database in CakePHP 3.x?

Simple answer is: You can't
The whole point of hashing is that you cannot reverse engineer the password. So that when your database is hacked or leaked no harm can be done with the passwords.
Any website showing you your own password has a severe security problem and I would not use it.
There is also no point in showing the encrypted password. Editing a password is not needed, you just overwrite the old one (when they can still provide their old one ofc), and if one of your user forget their own password you should provide them with a recovery system using their email for example.

Related

Spring Security Authenticates User with old credentials until Web App Restart

Hi there I am developing a web app and I am using Spring Security. In the app the user can change his/her details (username, password and some other fields). I am using a custom User Details Class for this and my Spring Security configuration is the default (keep in mind no cache method is declared, so I suppose NullUserCache is used). All the user records come from DataBase using JDBC Connector (MySQL).
Now when a user changes his/her info or/and username-password those changes update the corresponding columns in DataBase. So now the DB is updated. Because I have not implemented setters in my Custom User Details Class, I force the user to logout log out automatically. But now he/she can login using both the new username and the old one.
Suppose now that the user changed something on the other fields (for example if the age was changed from 20 to 21). When user logins using the new username I can see 21. If user logins using the old username I can see 20!.
I guess Spring Security now creates a new User (during login) which didn't exist and the old one is never removed!
So after reading many posts in the web and trying the corresponding solutions I 'm still unable to fix that.
What I have used (in the controller that is responsible for account editing):
if (authenticate != null){
new SecurityContextLogoutHandler().logout(request, response, authenticate);
}
SecurityContextHolder.getContext().setAuthentication(null);
SecurityContextHolder.clearContext();
What I understand and believe is that Spring Security holds somewhere (I thought User Cache) the username, maybe along with the password and now it sees the old username as a different User. The only way to prevent this from happening is to restart the app. After restarting the user only logins using the new username.
Is there any way I can remove that "user"-username? Any suggestion would be usefull, I am really confused and the only case close to mine was this but his problem was with the oracle connector using connection cache..
UPDATE problem tracked down to a problem inside loadbyusername method..read more on the 14th comment below :)
Happy coding!
I finally found the source of that problem..black hole closed. Credits #Jebil and #Robin Winch for their help!
Well everything worked as it should except the fact that the HashMap on the rensposible for the login DAO, was never cleared..so after every successful login attempt the HashMap returned was appended and so after every username update, it contained both old and new values..solution was simple..before accessing the DB HashMap should be cleared!
Happy dividing by 0 :P

password and confirm password entries to database

in my html form there are two fields for password, one password and other confirm password. If the first password field does not match the second password field than do not submit the form to the database.
This is kind of a long shot since I don't know what your code looks like but this is a javascript example of disabling the submit button until passwords match.
var pass1 = document.getElementById('p1');
var pass2 = document.getElementById('p2');
if(pass1.value == pass2.value)
{
document.getElementById("enableButton").disabled = false;
}
else {
document.getElementById("enableButton").disabled = true;
}
Without knowing anything about your code - you should (could) do two things:
Verify that both passwords are the same via JavaScript on client side. That will bring up a better user-experience as you are able to display an error message / disable the form submission when the passwords are not the same. But please consider - many users still have disabled javascript by default, so that can not be the only validation.
Verify that the passwords are the same in PHP / Server-side code. How exactly you would achieve that depends on your scripting languages / architecture.
There are some in-depth discussions out there regarding password / authentication best-practices: this discussion or this cheat-sheet at owasp or this one in the php faq. Please take the security fundamentals mentioned there into account, too.

nodejs,Express and mysql

I am new with Node js.I create a application with express framework and mysql database.i did add user and login.That's working fine but now am trying to reset my password with one time url.please help me.
This question doesn't contains any code snippets, any specific logical flow. If you are able to post some code, the you will be getting more accurate answer. Anyway I will try to provide a broad logic.
From your question, I understood that you know how to use expressjs routing, connecting to mysql from expressjs etc.
So for resetting password, you need to send a link with a unique token to the user when user clicks on a forgot password/reset password link. Store this tocken in a separate mysql table with a created time stamp. When user clicks this url which send to his emailid, check with the token entry in db table and make sure it is not expired, and show the user a reset password interface. After resetting, remove the token stored in the db table.

Changing Active Directory user password

How can I change an Active Directory user password using Directory Services without knowing old password?
You are probably searching the SetPassword method, which you should invoke on a DirectoryEntry object.
Check the "Reset a User's Password" example here: Howto: (Almost) Everything In Active Directory via C#.
EDIT:
If you are having problems with the directory entry being null, you are probably passing a wrong path. The path should be something like this:
DirectoryEntry entry = new DirectoryEntry("LDAP://CN=johndoe,CN=Users,DC=acme,DC=com");
There is a new library introduced in .net 3.5 called System.DirectoryServices.AccountManagement. It simplifies user management stuff.
public void ChangePassword(string dn, string newPassword)
{
using (var context = new PrincipalContext(ContextType.Domain))
{
using (var user = UserPrincipal.FindByIdentity(context, IdentityType.DistinguishedName, dn))
{
user.SetPassword(newPassword);
}
}
}
As an MCSE, I do password resets many times a day so I can tell you something about this.
There are basically two operations you can perform with an Active Directory password - a change, and a reset. Changing a password requires that you know the current password on an account, but resetting a password does not require you to know the current password on an account, so in a way, in order to change a user's password without knowing the password, you really need to perform a password reset operation on the account.
By the way, i believe there are two seperate Active Directory extended rights that control each of these permissions, but I am not intimately familiar with them, as I am a delegated admin who is delegated thos abillity.
So, please keep in mind that any attempts to reset a user's password will fail if you don't have the reset password right granted to you on the target user account.

Best way of retrieving lost password

What is the best method to reset a user password when password is hashed:
Reset a password to a random string and send that string to their registered mail?
Create a unique hash link for resetting password which is valid for an hour and sending that link to mail?
Any other method?
Create a unique hash link for resetting password which is valid for an hour and sending that link to mail
This is the method that I prefer. It allows you only to reset the password if and only if the user visits the link. This way, if someone is maliciously trying to reset passwords, the user can simply delete the email and be unaffected (not have to enter a new password).
Also, you should give the reset link some sort of longer expiration date (like 12 to 24 hours).
2 is the best method. Never ever mail a password in plain form. Even better, don't keep it in your system this way. Always have it hashed and salted.
Follow-up to comments: Emailing hashes instead of plain passwords may also be insecure but you are pursuing a different goal through this. Many people use the same password for all sites, from Facebook up to online-banking. A particular hash may get compromized, but not the password itself, which is the point.
#2 is preferable to #1 if only because sending a password in plain text via email exposes it unnecessarily.
Other options are:
use password hint questions
use OpenID and punt the entire problem to the user's OpenID provider.
It depends on the sensitivity of the information you are protecting...
There is a fine balance between security and usability, and you need to decide where it is, and what assets you are protecting.
What I would normally do (assuming to financial data is involved) is option 2, minus the 1 hour limit.
I found a really interesting method on some websites: they are sending you a new password via SMS. This is awesome because the e-mail can be hacked but the phone... I don't think can be easily hacked.