retrieving a sha1 encrypted password..

Question

I don't think that my title is appropriate for my question. My question is I have a simle login system just for test purposes, and I am using sha1 in encrypting my password into my database. which would look like this

sha1($_POST['..some_variable...'])

What would be the best way to retrieve my encrypted password as plain text for authentication purposes. Like select my username and password from my database.

(In short, you don't - SHA-1 is a hash, not a two-way encryption scheme.) — Jon Skeet, Aug 27 '13 at 17:46
What you really want to do is hash the user submitted password and compare that hash to the hash stored in the database. Please note that you should not use md5/sha1 in production enviroments. — JimL, Aug 27 '13 at 17:48
To finish @JimL's sentence: ... because they are ridiculously easy to crack these days. — Sammitch, Aug 27 '13 at 18:01
@Sammitch I wouldn't describe SHA-1 as "ridiculously easy to crack"... — Duncan Jones, Aug 27 '13 at 18:33
@DuncanJones SHA1, yes. It has a cryptographic vulnerability that cuts down cracking time significantly. SHA2/256/512/etc do not have said vulnerability, but are still weak compared to modern cracking methods and hashing schemes like bcrypt. — Sammitch, Aug 27 '13 at 19:06

JimL · Accepted Answer · 2013-08-27T18:07:26.203

0

This should give you a good idea of how it works.

try {

  $submittedEmail = !empty($_GET['email']) ? $_GET['email']: false;
  $submittedHash = !empty($_GET['password']) ? hash('sha1', $_GET['password']): false;

  if (!$submittedEmail || !$submittedHash) {
    throw new \Exception('Required field(s) missing. Please try again.');
  }

  if ($stmt = $mysqli->prepare("SELECT hash FROM user WHERE email = ?")) {
    $stmt->bind_param("s", $submittedEmail);
    $stmt->execute();
    $stmt->bind_result($storedHash);
    $stmt->fetch();
    $stmt->close();
  }

  if (!$submittedHash != $storedHash) {
    throw new \Exception('Wrong credentials submitted. Please try again.');
  }

  echo 'User ok!';

} catch (Exception $e) {
  echo $e->getMessage();
}

I would however recommend using PHPs password_verify

Since you probably aren't on PHP 5.5 yet you can use this class

edited Aug 27 '13 at 18:07

answered Aug 27 '13 at 18:01

JimL

2,501
1
19
19

Thank you sir! I just found out that in order to retrieve the hash you must also hash the input then select the hash from the database. – eaponz Aug 28 '13 at 16:04
@Edgar: that was what I said in my comment 22 hours ago :P – JimL Aug 28 '13 at 16:10
Yeah I just repeated it lol.. anyway. thank you once again :) – eaponz Aug 28 '13 at 17:55

score 0 · Answer 2 · answered Aug 27 '13 at 18:10

When the user creates an account and/or password the first thing you need to do is create a random salt.

$salt = hash_hmac('sha512', "RandomStringHere", "EncryptionKeyHere");

You will store that salt in db along with their encrypted password. From there encrypt the text-based password to and store it in the db.

$encyptPassword = hash_hmac('sha512', "plainTextPassword" . $salt , "EncryptionKeyHere");

So now you have a salt and encrypted password associated with the user.
To authenticate it's as easy as getting the salt associated with the user, taking their un-encrypted password and encrypting it - seeing if it matches.

This way you never know the persons password, just if it matches when they try to log in.

retrieving a sha1 encrypted password..

2 Answers2