0

So I have a wesbite running php which encrypts all passwords using a line such as

password_hash($_POST['password'], PASSWORD_BCRYPT, $options)

and verify passwords as follows

$passwordCheck = password_verify($password, $row['password']);

the options variable being:

$options = ['cost' => 00];

I have excluded the number with 00 but it is of course something else not sure if it is relevant for me to not give out that number.

Here is the issue, I am running a SmartFox server which runs in java. I am using the login assistant (perhaps I may need not to, please continue reading) and it tries to compare the password I send to it as a plain text password, of course the MySql passwords are using BCrypt. Now in the documentation it references I can set the sign up to use Md5 so I presume I must be able to support this type of password check.

using md5 http://docs2x.smartfoxserver.com/api-docs/asdoc/com/smartfoxserver/v2/util/PasswordUtil.html

login assistant documentation http://docs2x.smartfoxserver.com/DevelopmentBasics/login-assistant

I believe I can try the following but please don't hesitate to tell me to approach this from another angle or that one of these won't work (as I don't understand hashing/encryption/salt/rainbowtables ect):

Could I convert the password in the c# application I am sending the password from and have the server check that against the database

Could I use a preprocessor to convert the password and check it and set the password to the password from the database if the preprocessor tells me it matches

get java to execute a php script if BCrypt isn't available on java

user3211248
  • 15
  • 6

2 Answers2

0

I think you are hashing, not encrypting password, if I am not wrong. As BCrypt in PHP can be used to do both, names are important.

Avoid using MD5, it is considered broken nowadays - You have online searches http://www.hashkiller.co.uk/ and distributed bruteforcing tools that could require even hours or less to break a new MD5 hash.

Still the question is not totally clear, but let me try: you control the way $row['password'] is stored, but you are using the BCrypt "standard" in php and that does not seem to have an equivalent in Java. So you can't read/write $row['password'] from a java program, in a way it works at least. Is that correct?

If that is the case, the previous question about this here How do you use bcrypt for hashing passwords in PHP? explains you what is BCrypt and you could find a library implementing the same algorithm in Java. But I would not suggest that approach, while I would use one of the Portable PHP Hashing Functions listed in that very same page in the best answer (that should be your first approach in the list?)

The second approach with the preprocessor is not clear, but a general tip: simple is better, way better with security. If it sounds just a little bit "odd" or "cumbersome", avoid it, replace it with something easy to explain, that "looks good" and that can be easily mapped to a well-known / documented solution.

Community
  • 1
  • 1
sc0p
  • 416
  • 2
  • 2
0

There is an implementation of BCrypt in Java here. I make use of it in several of my applications. I've even implemented a GUI to generate hashes and test matching plaintext. BCryptGenerator

Dustin
  • 693
  • 8
  • 20