Saha Posted January 19, 2018 Posted January 19, 2018 How are the passwords encrypted from backend ? What key is used to encrypt them. when i go to customer ->edit -> change pasword -> save
0 Lathaneo Posted January 20, 2018 Posted January 20, 2018 Hi, Good nice question ! Except that password are not encrypted, but hashed ;) Cause you can't reverse the process. The hash password is made with Tools::hash(); /** * Hash password with native `password_hash` * * @param string $password * * @return bool|string * * @since 1.0.0 * @version 1.0.0 Initial version */ public static function hash($password) { return password_hash($password, PASSWORD_BCRYPT); } The hash() methode use the native function in the PHP API, password_hash() . To compare password, TB (and probably PS) use password_verify($plainTextPassword, $result['passwd']) So, no key needed for hash them, as mention here, it's easier and safer. Regards.
0 Saha Posted January 21, 2018 Author Posted January 21, 2018 @lathaneo Thanks for the reply. How do I unhash so I can compare the password and allow customer to login.
0 yaniv14 Posted January 21, 2018 Posted January 21, 2018 You need to compare hashed password together and not the other way around. So you will need to hash the user entered password and compare.
0 SLiCK_303 Posted January 21, 2018 Posted January 21, 2018 @Saha is this a site thats been migrated? Or data from your old site imported into a new install?
0 Saha Posted January 21, 2018 Author Posted January 21, 2018 @yaniv14 same password hashed at different time gives me different results first line Tools::hash(123456) outputs : $2y$10$vf9b9Y92f7ELhhOTcI2GfOzrK1SfAIylPU8ySGy5F41JxREkoCj3G second line Tools::hash(123456); outputs: $2y$10$P3kdjPytuLHPZ3iEmjBxoezfOckOnIFB8cPj7ghUaltl7/bqUwrWO
0 SLiCK_303 Posted January 21, 2018 Posted January 21, 2018 @Saha and did you take the define('RIJNDAELKEY', and define('RIJNDAELIV', and define('COOKIEKEY', and define('COOKIEIV', settings from your old /config/settings.inc.php to your new one? edit: are you having issues with people not being able to login to the FO, is that why you are asking this?
0 SLiCK_303 Posted January 22, 2018 Posted January 22, 2018 backup your /config/setting.inc.php file, then change the values of the above 4 keys in it to match your old sites keys I'm assuming you migrated from PrestaShop....
0 Saha Posted January 23, 2018 Author Posted January 23, 2018 @mdekker So how to approach . How to authenticate a user ?
0 datakick Posted January 23, 2018 Posted January 23, 2018 the result of password_hash actually contains two parts - hash and salt. Salt is randomly generated each time you call this function, that's the reason why the result is different each time. In order to verify password, simply call function password_verify, with plain text password and a result of pasword_hash function: password_verify($plaintextPassword, $hashWithSalt) in other words, following expression will always return true: password_verify($plaintextPassword, password_hash($plaintextPassword, PASSWORD_BCRYPT))
Question
Saha
How are the passwords encrypted from backend ? What key is used to encrypt them.
when i go to customer ->edit -> change pasword -> save
12 answers to this question
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now