I have a webpage that encrypts username passwords using bcrypt, these passwords are then stored in a database. I have a c++ program running on QT which needs to authenticate users, in order to do this i'd have to encrypt the user entered password and compare it to the password in the database. Is this the correct way to do it? If so how do i achieve this? The encryption of the user entered password would have to be the same as the one by bcrypt, how do i do this? Thanks in advance.
Actually you don't encrypt passwords, because they may can be decrypted. The right way of doing it, is to hash a password and store the hash value. If a user enters a password you also hash that value and compare it to the saved hash value. This is the right way because a hash function is a one way function (Non-invertible), see here.
The hash method prevents that somebody can decrypt the password. You should take care of a secure hash function like SHA-2 or SHA-3, because some hash functions are no longer secure, see list of broken hash functions.
Related
In my Django web-app, I would like the user to authenticate itself with an encrypted email address that would simply be the username. Due to the existing GDPR regulations in my country, I have to encrypt e-mail addresses and by doing it with the help of Python Cryptography and Fernet functions, each string is different after encryption, even if two strings are encrypted with one and the same key. Is it possible to authenticate the user without errors in such a situation? If this is possible, where can I read a little more about it?
EDIT: Maybe I incorrectly specified: Django uses username and password for authentication, if the encrypted email is username, when logging in, the user will enter the email when logging in, i.e. harry#example.com. The database keeps an encrypted version of this email, so when using authenticate(request, username, password), it will look for a user with the username harry#example.com, not the encrypted version. If at this point I would like to decrypt the user's e-mail from the database and compare it with the e-mail that the user entered when logging in, app would probably has to decrypt all e-mails in the database, and then check if and which one is harry#example.com and here, in my opinion, it becomes quite problematic, because I have the impression that it is a not good solution in terms of time and server load. Is there any other way that I will be able to compare the e-mail entered when logging in and the encrypted e-mail in the database?
Here is a good lesson on how to use python cryptography https://www.geeksforgeeks.org/how-to-encrypt-and-decrypt-strings-in-python/
As for GDPR, the user can enter their email but you should encrypt it on the store, then decrypt it when you want to use it. Make sure that your secret is hidden. If someone gets access to your database and your secret, the encryption is as good as if it's not there.
You should not be comparing the encrypted strings, you should decrypt the email and compare it to the email that is currently entered. Comparing hashes should only be done with hashing, not encryption. If you don't want to have access to the user's email, you should consider hashing instead of encrypting.
There's a good read here How do I encrypt and decrypt a string in python?. To know the how-to around what you need. Plus, you described the solution quite well, so take a look at the following packages from the Django community which achieve what you are looking for:
https://github.com/orcasgit/django-fernet-fields/
https://github.com/orcasgit/django-fernet-fields/blob/master/fernet_fields/fields.py#L117 It includes an Encrypted email field
https://github.com/patowc/django-encrypted-field
Currently we are using wso2is v5.8 in our product to authenticate the user from AD/LDAP.
At the time of login, we sending login form data in simple text format and it's working as expected but due to vulnerability we have an issue, we want to post-login form data password field as an encrypted format. how I will achieve that pls help me with that. Thanks In Advance.
In WSO2IS from user store managers, passwords can be encrypted so no need to send encrypted passwords from the Login page or Registration page.
1. Encrypt passwords in primary user-store manager
Go to < IS-HOME >/repository/conf/user-mgt.xml file and then in there uncomment the below line
<Property name="PasswordHashMethod">PLAIN_TEXT</Property>
and for the hashing method, you can use
SHA - Uses SHA digest method. SHA-1, SHA-256
MD5 - Uses MD 5 digest method.
PLAIN_TEXT - Plain text passwords.
2. Encrypt passwords in secondary user-store manager
In the secondary user-store managers there is an option "PasswordHashMethod" available to configure, if it is not configured it will not do any hashing to the user password.
But in there can specify the Password Hashing Algorithm used the hash the password before storing it in the user store.
Possible values:
SHA - Uses SHA digest method. SHA-1, SHA-256
MD5 - Uses MD 5 digest method.
PLAIN_TEXT - Plain text passwords.
Note:
If you just configure it as SHA, it is considered as SHA-1. It is always better to configure an algorithm with a higher bit value as digest bit size would be increased.
I am currently encrypting user password and storing them in my DB by using the following code:
<cfset encrypted_pass = Hash(#form.pwd#, 'SHA-512')/>
Is there a way I can decrypt this password after the fact?
If you are storing passwords in a database, you should always store these as hashes and not using reversible encryption. The method of doing is this "hashing" but not all hashing is created equal and the "hash" function in CFML is not good enough for password hashing.
The reason for using hashing is so if a "bad actor" gains access to your DB they are still not able to obtain your users passwords.
Please see the following article for details and code examples for good password hashing in CFML:
https://www.andrewdixon.co.uk/2020/05/12/password-hashing-in-cfml/
I want to view the passwords that are stored in the CARBON_DB..UM_USER table.
The passwords are stored encrypted with a salt value column.
I don't want to change the encryption but want to view the password in SQL server.
If it is a One way function, How WSo2 IS able to get it used when we will call Authenticate function and validate the user name password passed in the request is a valid one?
or it would help me, how the WSO2 Is generating the UM_USER_PASSWORD column based on the UM_SALT_VALUE.
This [1] is the code section where it compares the provided password with stored hash. By looking at this logic, you might able to understand how it happens. Check the preparePassword()[2] method to understand how the salted hashing happens.
[1] https://github.com/wso2/carbon-kernel/blob/4.5.x/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/jdbc/JDBCUserStoreManager.java#L1242
[2] https://github.com/wso2/carbon-kernel/blob/4.5.x/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/jdbc/JDBCUserStoreManager.java#L2628
The below is the answer how the encryption is working,
//Password+Salt value
String password = "passwordb7nujixCJvoAA7AZkLfe0A==";
MessageDigest dgst = MessageDigest.getInstance("SHA-256");
byte[] byteValue = dgst.digest(password.getBytes());
password = Base64.encode(byteValue);
System.out.println("password::"+password);
I'm working on authenticating users in Django, and I know that Django keeps all the passwords hashed in the data base,
so in order to secure the user credentials, I have to hash the password in my front end (Angular2) before sending it to my back end (Django rest framework).
The problem is that I don't know if Django excepts hashed passwords or is he capable of comparing it to the existing one, and if so , can any one pin point me to the right way.
any help is appreciated, thanks
You do not need to hash the password in Angular. Django will not understand a password hashed by Angular, since Django hashes passwords in a different way and has no information indicating that what you are sending is a hash. Even if you were able to has them the same way, Django would hash it again, which would not work. That is,
H(password) != H(H(password))
For a single hash function, H.
Send the password as plain text to the server. Protect the password by transferring all data over TLS/SSL. Django will accept the plain text password, compare the hashes, and authenticate the user as normal.