this is the password :
sha1$265b1$5ff32d53cf53bdef243b6f83e33e513514352406
sha1$73f58$b037706983a566e2a2b4bab7ef062c2e84f4a33e
this two string's password all are '123456',
but why they have different string ?
thanks
Until django 1.3 was for "salt" the raw password:
The password attribute of a User object is a string in this format:
hashtype$salt$hash
That's hashtype, salt and hash, separated by the dollar-sign character.
Hashtype is either sha1 (default), md5 or crypt -- the algorithm used to perform a one-way hash of the password. Salt is a random string used to salt the raw password to create the hash.
But after django 1.4 the "salt" part isn´t recorded in the database and it uses another algorithm by default.
As stated in the Docs, django uses a salt to hash the password. The salt is the few characters between the 2 $, so technically you can update 1 of those rows with the other value.
For more regarding salt-hashing see This question
that decide to your algorithm, some algorithm's results are not same
Related
SELECT * FROM Customers WHERE password LIKE '%%';
This statement is incorrect but is there a way to find password that start with '%','''','!',etc.
I am Trying to find password that start with any symbol in front ? How can I do that ?
Example Password :%$rk3d+R&
Note that you should not be storing clear text passwords in your customers table. Doing so exposes your site to significant risk, if someone ever finds a way to read your database table. Instead, you should always store an irreversible hash of the password in the customers table. Then, for user authentication, hash a user's input password and compare against the table.
That being said, the % has a special meaning when used inside a LIKE expression, and it means any number of characters. You may escape it via a backslash in this case to mean a literal % symbol:
SELECT * FROM Customers WHERE password LIKE '\%%';
More generally, to find customers having passwords starting with any symbol, use REGEXP:
SELECT * FROM Customers WHERE password REGEXP '^[##$%^&*]';
You need to escape the special character here like below.
SELECT * FROM test where password like '\%%';
Demo DBFiddle
I'm looking at adding a Salt number to our user password table. We are saving the user passwords hashed as SHA256.
My question is would using the number generated from Mysql's UUID_SHORT() function for example '23154192415719433' be sufficient for a password salt?
So in my database the password 'Test123' would normally stored as 'd9b5f58f0b38198293971865a14074f59eba3e82595becbe86ae51f1d9f1f65e' by calling
SELECT SHA2('Test123', 256)
Will now be stored as 'e5e7b87ba899a6f9ad8f8e68e0b209b6923e546df70b8e4a47f996533827bce1'
SELECT SHA2('23154192415719433Test123', 256)
Seeing as UUID_SHORT() returns a random 64-bit value, and SHA256 uses 256-bit encryption, you would be better off calling UUID_SHORT() four times and concatenating it as a binary value.
I expect that what you want is to
SELECT SHA2('password', 256)
give you always the same result which you can store/compare.
UUIS_SHORT() does not return the same values after each invocation so store your passwords as hash as usual. What you can do to make it better is:
SELECT SHA2(CONCAT('password','some junk known only to you'),256)
You do need anything else.
For some reason MySQL is putting all passwords as the same even after md5 and using the password('$md5_password').
Let's say the password is abc123 the password stored in mysql is 11ab5e691dcc370b. But when I try to save a password of frogs the password stored is 11ab5e691dcc370b, which is the same. I have the same script on other databases and is working flawlessly.
The above would explain why no one is logging in unless I hard set the 11ab5e691dcc370b password. Then others can login.
The mysql user has full rights.
I used Google to reverse 11ab5e691dcc370b. It seems to be the hash of d41d8cd98f00b204e9800998ecf8427e, which is an MD5 of a blank string.
You might want to check the code that actually calls md5.
Assuming PHP based on the $md5_password in your question
Use double quotes or remove them completely.
md5($password);
If you use single quotes it will literally hash the string $password
md5('$password');
See this page on string literals http://www.php.net/manual/en/language.types.string.php#language.types.string.syntax.single
I was wondering how can i limit my password to aplhanmeric based on the generated value of alphanumeric AES_ENCRYPT() in mysql? I have a column password with a datatype of varbinary
Sample: select AES_ENCRYPT('encryption_code','password');
Result: ���"F]���\�L7z
I want to avoid the special characters.
This doesn't specifically answer the question on how to get just alphanumeric, but the 'special characters' look to be what MySQL does with utf8. You can see what they actually are in:
SELECT CONVERT(AES_ENCRYPT('encryption_code','password') USING latin1);
Now as to why you want just the alpha-numeric, may I ask why? Wouldn't that destroy the encryption when you go to AES_DECRYPT? With the above query, you can get the encryption_code back by doing:
SELECT AES_DECRYPT(CONVERT(AES_ENCRYPT('encryption_code','password') USING latin1), 'password');
Does MySql 5.1 and SQL Server 2008 (Web edition, Standard) have any functional password limitations other than length limits? Are metacharacters in any form a bad idea to use, like bang, pipe, hash, any slash, carrot, and so on?
I know that MySql 5.1 has a password length limitation of 16 characters that is hardcoded, but I was wondering, are any metacharacters (i.e. non alphanumerics) a bad idea to use? And is this true in SQL Server 2008 Web edition, Standard?
So specifically: can symbols like:
/`~>:}{[]^ be used successfully?
I would hope it doesn't matter to the database, but I don't understand enough about password storage in enterprise database systems yet to know for sure, and I was looking for confirmation or an explanation.
All these characters are good in SQL Server passwords, but the docs to back it up are sketchy.
The MSDN documentation on SQL Server password strength implies that any symbol including whitespace characters is allowed in SQL Server passwords, but if it contains white space it must be delimited in T-SQL statements.
Microsoft SQL Server passwords can contain up to 128 characters, including letters, symbols, and digits. Because logins, user names, roles, and passwords are frequently used in Transact-SQL statements, certain symbols must be enclosed by double quotation marks (") or square brackets ([ ]). Use these delimiters in Transact-SQL statements when the SQL Server login, user, role, or password has the following characteristics:
Contains or starts with a space character.
Starts with the $ or # character.
The MSDN documentation on password policy explicitly confirms the following characters are allowed: ! $ # %
And, as you'd already know, the same documentation strongly encourages that you use passwords which are "as long and complex as possible."
mysql> create user test identified by '/`~>:}{[]^';
Query OK, 0 rows affected (0.13 sec)
yes - you can actually login now with this command line:
C:\Documents and Settings\rbouman2>mysql -utest -h127.0.0.1 -P3351 -p
Enter password: **********
I tried entering the password directly after -p, but that didn't work for windows - it thinks i want to invoke more if I do that. but I am 100% sure that's on the windows shell. MySQL itself feels this is a valid password.
In my experience, it's the backslash \ and the single quote ' that you'll want to avoid in a MySQL password. From my tests, the following special characters appear to be fine to use:
!##$%^&*:./?=+-_[]{}()<>
Also, 32-character passwords seem to be okay to use, too.
Watch out, even though MYSQL may work, your php/http daemon/.htaccess may do some wierdness to the req's before passing them along, I had a password with ( $ and ! in it, and it did NOT work from php-mysql based web page, but DID work from the console... 8 character password. $db_pass = "($JlKl1!";
And what do you know, it fails.
change the password to "test" . and bam, it works.
Change the password to something ridiculously long, (and entirely devoid of "$" or "!" or "(" ) and it also worked.