Jump to content
thirty bees forum
  • 0

password encrytion from admin dashboard ?


Question

Posted

How are the passwords encrypted from backend ? What key is used to encrypt them.

when i go to customer ->edit -> change pasword -> save

12 answers to this question

Recommended Posts

  • 0
Posted

Hi,

Good nice question ! Except that password are not encrypted, but hashed ;) Cause you can't reverse the process.

The hash password is made with Tools::hash(); /** * Hash password with native `password_hash` * * @param string $password * * @return bool|string * * @since 1.0.0 * @version 1.0.0 Initial version */ public static function hash($password) { return password_hash($password, PASSWORD_BCRYPT); }

The hash() methode use the native function in the PHP API, password_hash() .

To compare password, TB (and probably PS) use password_verify($plainTextPassword, $result['passwd'])

So, no key needed for hash them, as mention here, it's easier and safer.

Regards.

  • 0
Posted

@yaniv14 same password hashed at different time gives me different results first line Tools::hash(123456) outputs : $2y$10$vf9b9Y92f7ELhhOTcI2GfOzrK1SfAIylPU8ySGy5F41JxREkoCj3G second line Tools::hash(123456); outputs: $2y$10$P3kdjPytuLHPZ3iEmjBxoezfOckOnIFB8cPj7ghUaltl7/bqUwrWO

  • 0
Posted

@Saha and did you take the define('RIJNDAELKEY', and define('RIJNDAELIV', and define('COOKIEKEY', and define('COOKIEIV', settings from your old /config/settings.inc.php to your new one?

edit: are you having issues with people not being able to login to the FO, is that why you are asking this?

  • 0
Posted

the result of password_hash actually contains two parts - hash and salt. Salt is randomly generated each time you call this function, that's the reason why the result is different each time. In order to verify password, simply call function password_verify, with plain text password and a result of pasword_hash function:

password_verify($plaintextPassword, $hashWithSalt)

in other words, following expression will always return true:

password_verify($plaintextPassword, password_hash($plaintextPassword, PASSWORD_BCRYPT))

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...