3

I want to show the decrypt password in update form as the line

<?= $form->field($model, 'password_hash')->passwordInput() ?>

show the full length encrypted password like:

$2y$13$4SUKFKV03ZolfDwLIsZRBuD4i7iELPZRMEJojODgP3s5S4dER.J0m

whish it is encrypted password for 123456

Salem Ouerdani
  • 7,596
  • 3
  • 40
  • 52
Jsparo30
  • 405
  • 4
  • 10
  • 30
  • 2
    you can NOT unhash a password, a password hash is not the password in an encrypted form – cmorrissey Feb 26 '16 at 20:12
  • You need to use a encryption algorithm that supports it http://stackoverflow.com/questions/5089841/two-way-encryption-i-need-to-store-passwords-that-can-be-retrieved – Keyne Viana Feb 26 '16 at 20:16
  • I found this // $secretKey is obtained from user input, $encryptedData is from the database $data = Yii::$app->getSecurity()->decryptByPassword($encryptedData, $secretKey); but don't know how to get $secretKey. Any Help – Jsparo30 Feb 26 '16 at 20:29
  • Not possible, and a bad idea to display unencrypted passwords. Normally when someone registers you hash their password, then write only the hashed version to your db. To verify the pw on login you hash the pw they enter and compare it to the hash you have stored. So their real pw is never stored or displayed anywhere. – Joseph James Feb 26 '16 at 22:24

2 Answers2

3

As already mentioned by @TomCarrick, hashing passwords is a one way algorithm and never meant to be reversed. The process of verifying the validity of a proposed password is by hashing it using the same algorithm then checking if the resulting hash is same as the one you already have. This strategy is handled in Yii within the User class, the one extending the IdentityInterface and defined in your config file. And this is done within those 2 methods :

class User extends ActiveRecord implements IdentityInterface
{
    ...

    public function validatePassword($password)
    {
        return Yii::$app->security->validatePassword($password, $this->password_hash);
    }

    public function setPassword($password)
    {
        $this->password_hash = Yii::$app->security->generatePasswordHash($password);
    }

NOTE: The following is not recommended. If it is for update form like user changing his password as I understood from your question then I would recommend using two inputs: old_password and new_password as used in most websites. Then the same way as implemented in the User class, you may check the intered password validity by comparing hashes and if it is valid then you just hash the new_password and save it to database by overriding the old one.

If for whatever reasons you have, you need to know user's passwords then you will need to manually change the way how Yii is setting and validating those passwords by implementing a LESS SECURE strategy and this can be achieved by replacing that one way algorithm by a different one like using encryptByPassword() and decryptByPassword() helper methods which will allow you to encrypt any string using a $secretKey that you will use later to decrypt it back. So you will need to override the previously mentioned 2 methods by this :

public $secretKey = 'WHATEVER_SECRET_YOU_CHOOSE';

public function validatePassword($password)
{
    $decryptedPassword = Yii::$app->getSecurity()->decryptByPassword($this->password_hash, $this->secretKey);
    return $decryptedPassword === $password;
}

public function setPassword($password)
{
    $this->password_hash = Yii::$app->getSecurity()->encryptByPassword($password, $this->secretKey);
}

If needed you can also implement setter and getter methods inside your model like :

public function getPassword()
{
    return Yii::$app->getSecurity()->decryptByPassword($this->password_hash, 'THE_SECRET_YOU_ALREADY_HAVE_CHOOSEN');
}

public function setPassword($password)
{
    $this->password_hash = Yii::$app->getSecurity()->encryptByPassword($password, 'THE_SECRET_YOU_ALREADY_HAVE_CHOOSEN');
}

that you can use any where to retrieve the real password and at least keeping a decrypted version of it in database :

<?= $form->field($model, 'password')->passwordInput() ?>

You may also find more about security helper methods here.

Salem Ouerdani
  • 7,596
  • 3
  • 40
  • 52
2

You can't. That's the whole point of hashing passwords, so they can't be reversed to the original plaintext.

Tom Carrick
  • 6,349
  • 13
  • 54
  • 78
  • You could depending on the hash algorithm! – Keyne Viana Feb 26 '16 at 20:16
  • 3
    No. It's not a hash if you can decrypt it. A hash is a one way function. – Tom Carrick Feb 26 '16 at 20:21
  • Right, but maybe the OP doesn't know about two-way encryption. – Keyne Viana Feb 26 '16 at 20:27
  • Ok, but that's not what was asked. And in any case, this is a very bad idea. If someone gains access to his account, say by session hijacking or even just jumping on their computer when they're not looking, they can now see his password by going to the edit page, and chances are, the user uses this password on many sites... – Tom Carrick Feb 26 '16 at 20:31
  • The problem which i suffer from is the form saves updated password as the encrypted password, so i can't login again. – Jsparo30 Feb 26 '16 at 20:44