Password hash doesn't match

Forum Moderators: coopster

Message Too Old, No Replies

Password hash doesn't match

Gilead

4:15 pm on Dec 8, 2011 (gmt 0)

I am using a sha1 hash to encrypt passwords in my application.
All is fine until someone tries to log in. For whatever reason, it won't let anyone in even if they are typing the correct password. What am I doing wrong? Any suggestions?

for members-
$member_password= mysql_real_escape_string(addcslashes(sha1($_POST[password]), "%_"));
for admins-
$password = mysql_real_escape_string(sha1($_POST['password']));

It happens on both sides of the equation- on the admin side and the member side.

from the login page:
$mypassword=mysql_real_escape_string($_POST['password']);

I changed the password to something else in phpmyadmin and was able to log in just fine, so it has to be somewhere in this process.

Thanks!

rocknbil

4:32 pm on Dec 8, 2011 (gmt 0)

What happens when you do this?

// Get the database password to match, then

echo "Entered $password, database $db_password";
exit;

Do they match? I suspect not?

View the source in case any characters are hidden by the browser. I suspect addcslashes but that's a wild guess.

eelixduppy

4:35 pm on Dec 8, 2011 (gmt 0)

>> addcslashes
This would be the first thing I removed to make things consistent.

How are you comparing the two hashes in the login process? You should be hashing what they type in and comparing it to the hash stored in the database.

Gilead

4:46 pm on Dec 8, 2011 (gmt 0)

Unless I did something completely nuts, I added this piece to the login just as it checks the admin table.
$row = mysql_fetch_array($result);
$dbpassword=$row['password'];
echo "Entered Password";
echo $mypassword;
echo '<br />';
echo "Database password";
echo $dbpassword;
the dbpassword is blank!
In phpmyadmin, the password appears in a 40 character string of number and letters.

Do I need to encrypt the input so it matches the one in the database?

Gilead

5:03 pm on Dec 8, 2011 (gmt 0)

If I do encrypt it, it works just fine as long as the password has already been encrypted. However not all users, admins included have logged in initially to reset their own passwords. How can I get around this?

eelixduppy

5:13 pm on Dec 8, 2011 (gmt 0)

>> Do I need to encrypt the input so it matches the one in the database?
Yes.

>> How can I get around this?
If you are storing their passwords as plain text, you can do an update on that field with the new hash. The difficulty here being how to differentiate between an already hashed password and one that still needs to be hashed.

brotherhood of LAN

5:15 pm on Dec 8, 2011 (gmt 0)

Encrypt the passwords as soon as they get into the database.

For existing ones, if your SHA1 method has a fixed length, you can update all the password rows that don't have that length (make a backup first if you try it)

UPDATE table SET password = SHA1(password) WHERE LENGTH(password) != 40

This assumes that anyone with an unencrypted password does not have a password with a 40 character length, or it'll remain unencrypted.

Gilead

5:25 pm on Dec 8, 2011 (gmt 0)

I'm really confused now.
The temp password that sent to the user/admin is md5 limited to 8. I wanted something easy for anyone with a temp password.

My problem comes once they login. What is the best way to check for both the full encrypted password and the 8char temp password?
2 database queries? or can I somehow combine them? or doesn't seem to work.

...WHERE member_login='$myusername' and member_password='$mypassword' or '$mytemppassword'";