6

I am almost done with a project using codeigniter and ion_auth for authentication. I can't figure out this little issue:

When the user wants to change the password, I have the fields OLD_PASSWORD and NEW_PASSWORD. OLD_PASSWORD has to match the database's password (DB_PASSWORD). But I can't figure out how the password was encrypted to be stored in the database. So OLD_PASSWORD never matches DB_PASSWORD, obviously.

I haven't changed any of the default encryption for ION_AUTH library. I tried sha1() function and it didn't match the encryption. Same for md5(), which is not recommended for encrypting passwords anymore.

Can anyone shine a light on this for me?

Caio Mar
  • 2,344
  • 5
  • 31
  • 37
  • 1
    As a note, you should never be able to actually be able to read the user's password from the database - if you can, your system is not secure. – Krease Feb 12 '14 at 17:53
  • Ok. So how do you go about verifying password? How do you keep it secured? I've read a few articles about security but there are so many controversies between writers that it becomes hard to know how to keep your site safe. – Caio Mar Feb 12 '14 at 18:02
  • [This](http://www.troyhunt.com/2012/05/everything-you-ever-wanted-to-know.html) and the [password management tag on Information Security Stackexchange site](http://security.stackexchange.com/questions/tagged/password-management) are some recommended reading if you're learning about this. It's a bit of a tangent from your original question, but useful to know if you're working in this area. – Krease Feb 12 '14 at 18:16
  • Sweet! I took a quick look and will definitely read it later. Thanks! – Caio Mar Feb 12 '14 at 18:20
  • Don't re-invent password authentication processes, take a look at theories and packages/libraries that already solve this problem, like PHPass. The theory is to MATCH passwords, not to check if they're exactly the same, so if you'd hash the same password twice you should not get the SAME hash but instead you should get 2 hashes that MATCH one another. Basically, if a site's owner can tell you your password then it's just a matter of time until a hacker can do it too, and he's not going to give it to you, instead he'll use it or sell it. – Jonast92 Feb 12 '14 at 21:20
  • 1
    @Jonast92 thanks for the comment! I will do my homework on site security. What you said makes very much sense. Appreciate it. – Caio Mar Feb 14 '14 at 14:06

1 Answers1

13

Ion auth creator here.

The default encryption is sadly using SHA1 for backwards compatibility.

There is an option in the config to use BCrypt instead which is strongly recommended.

The password is hashed along with a salt though so simply running SHA1 against the password won't give you the same results. Take a look at the hash_password() method to see how it's done here: https://github.com/benedmunds/CodeIgniter-Ion-Auth/blob/2/models/ion_auth_model.php#L267

If you're using all the defaults you can do this to compare:

$user = $this->ion_auth->user();

$old_password = $this->input->post('old_password');

$password_matches = $this->ion_auth->hash_password_db($user->id, $old_password);
Ben Edmunds
  • 888
  • 4
  • 6