Advanced Search

Page 5 of 5 FirstFirst ... 345
Results 41 to 48 of 48

Thread: How do you retrieve a hashed password?

  1. #41
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,629
    Thanks
    63
    Thanked 516 Times in 502 Posts
    Blog Entries
    5

    Default

    seems to work just fine the first time.

    If I use the password recovery link a second time, it gives me the "choose a new password" form, but then says "check your email" after I submit it (the password is *not* changed). Using the password recovery link more than once, I would expect to get an "expired link" notice and an option to send a new "forgot password" email.

    The "please check your email" and "your password has been reset" messages are dead ends - just the text, no formatting, no menus, no "Home" button, nothing. I assume this is just temporary, and that the messages will show on normal site pages eventually.

    The one thing I **do not** like is that my password is emailed to me *in clear text* when I register.

    Otherwise, well done
    We Only Torture the Folks We Don't Like (You're Probably Gonna Be Okay)
    It's a Party in the CIA

  2. #42
    Join Date
    Jan 2007
    Location
    Davenport, Iowa
    Posts
    1,681
    Thanks
    80
    Thanked 89 Times in 87 Posts

    Default

    Yeah, I meant to remove that emailed password/username thing. Using the password recovery form should always work though. I'll try debugging it some more. Or were you talking about trying to reuse the same emailed link multiple times?

    The blank pages with simple text messages is a place holder. Thanks for the help and encouragement everyone. I'll let you know if I find any bugs.
    Last edited by james438; 02-04-2013 at 01:30 AM.
    To choose the lesser of two evils is still to choose evil. My personal site

  3. #43
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,629
    Thanks
    63
    Thanked 516 Times in 502 Posts
    Blog Entries
    5

    Default

    I was talking about reusing the same link.
    It didn't work, and that's a good thing - but it did seem confused.
    We Only Torture the Folks We Don't Like (You're Probably Gonna Be Okay)
    It's a Party in the CIA

  4. #44
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,629
    Thanks
    63
    Thanked 516 Times in 502 Posts
    Blog Entries
    5

    Default

    UPDATE:: PHP 5.5 will have native password hashing functions that will make this conversation (and all associated confusion) obsolete!

    BONUS:: there is a userland compatibility patch that you can use now (w/version 5.3.7+)!!

    functions (same names/signatures for native and userland functions):
    PHP Code:
    <?php
        
    /**
         * password_hash(): Hash the password using the specified algorithm
         *
         * @param string $password The password to hash
         * @param int    $algo     The algorithm to use (Defined by PASSWORD_* constants)
         * @param array  $options  The options for the algorithm to use
         *
         * @return string|false The hashed password, or false on error.
         */
        // example usage:

        
    $hash password_hash'password',PASSWORD_BCRYPT );
        
    // returns "$2y$10$a6o9xrystDhNxm3PAxaS5.GxojspgIrhgb5tFSey7aIHHtzQCWxKK", ready to save in your DB!

        /**
         * password_verify(): Verify a password against a hash using a timing attack resistant approach
         *
         * @param string $password The password to verify
         * @param string $hash     The hash to verify against
         *
         * @return boolean If the password matches the hash
         */
        // example usage:

        
    $match password_verify'password',$hash );
        
    // returns TRUE - the password and hash match!  Log them in!

    ############

        // other functions are useful, but less immediately so:

        // password_get_info(): Get information about options used to create a hash.
        // password_needs_rehash(): Determine if the password hash needs to be rehashed according to the options provided
    Celebrate!
    We Only Torture the Folks We Don't Like (You're Probably Gonna Be Okay)
    It's a Party in the CIA

  5. The Following 2 Users Say Thank You to traq For This Useful Post:

    djr33 (06-16-2013),james438 (06-17-2013)

  6. #45
    Join Date
    Jan 2007
    Location
    Davenport, Iowa
    Posts
    1,681
    Thanks
    80
    Thanked 89 Times in 87 Posts

    Default

    It was actually easy to install on my shared hosting account. It is a single php file that I can include (or require).

    Just one question. How should I set the salt for the PASSWORD_BCRYPT used?

    Thanks for the useful tip!
    To choose the lesser of two evils is still to choose evil. My personal site

  7. #46
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,629
    Thanks
    63
    Thanked 516 Times in 502 Posts
    Blog Entries
    5

    Default

    The third param of password_hash() is an associative array, $options. You can pass a specific salt to the function like so:
    PHP Code:
    <?php

    $hash_with_my_own_salt 
    password_hash'password',PASSWORD_BCRYPT,array( 'salt'=>'someUnique22charString' ) );
    However, if you don't include a salt, one will be generated automatically. It is pretty well-implemented, so I'd recommend allowing the function to generate its own salts. Also, password_hash() returns the same value as crypt(), so you don't need to store the salt separately (because it's included in the hash, password_verify() automatically knows what salt and algo to use).
    We Only Torture the Folks We Don't Like (You're Probably Gonna Be Okay)
    It's a Party in the CIA

  8. #47
    Join Date
    Jan 2007
    Location
    Davenport, Iowa
    Posts
    1,681
    Thanks
    80
    Thanked 89 Times in 87 Posts

    Default

    Nice, no more need for salts . I still want to test this out more before updating my current password system, but it still looks promising.
    To choose the lesser of two evils is still to choose evil. My personal site

  9. #48
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,629
    Thanks
    63
    Thanked 516 Times in 502 Posts
    Blog Entries
    5

    Default

    Resurrecting this again…

    Here's a good talk on the very subject, with lots of insight on the concepts (not so much on actual code).
    We Only Torture the Folks We Don't Like (You're Probably Gonna Be Okay)
    It's a Party in the CIA

  10. The Following User Says Thank You to traq For This Useful Post:

    keyboard (12-30-2013)

Similar Threads

  1. Replies: 4
    Last Post: 01-24-2011, 10:57 AM
  2. Replies: 4
    Last Post: 03-04-2009, 02:36 PM
  3. Replies: 2
    Last Post: 07-01-2008, 11:47 AM
  4. how to retrieve
    By jr_yeo in forum PHP
    Replies: 6
    Last Post: 08-17-2007, 11:18 PM
  5. retrieve files
    By sukanya.paul in forum PHP
    Replies: 2
    Last Post: 04-24-2007, 02:14 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •