Tech Show logged in users password when using password_hash - GoFuckYourself.com

Publisher Bucks · 11-09-2022, 08:50 AM

So I have a registration system setup for my employees, it allows them to update their information as needed however, it does not currently show their existing passsword, instead it shows a hash value.

I'm using the following to add the password to the database:

$password = password_hash($_POST['password'], PASSWORD_DEFAULT);

Which displays something like this on their profile for their password:

$2y$10$bUxrx6rFxS1AISpSCKgGXegQ0CeYMJCrCdUshxQhsjC mC5/yDTRIu

Is there a way that I can unencode that stored variabe to show the logged in user what their password actually is on their profile page, instead of the hash, so they can then go ahead and change it if needed?

Thanks.

sarettah · 11-09-2022, 08:59 AM

You don't want to do that. Just imho, of course.

If the user does not know their password then how did they log into the system to get to the password change screen to begin with?

.

Publisher Bucks · 11-09-2022, 09:08 AM

Quote:

Originally Posted by sarettah

You don't want to do that. Just imho, of course.

Good enough advice for me

Quote:

If the user does not know their password then how did they log into the system to get to the password change screen to begin with?
.

They could have it saved in their browser.

So just do a regular reset/forgot password link it is

lezinterracial · 11-09-2022, 09:35 AM

Quote:

Originally Posted by sarettah

You don't want to do that. Just imho, of course.

.

Yea, Just do a password reset. They make hashes one way, you can't decode. So, if your database ever gets compromised there aren't a bunch of compromised passwords out there. People still reuse passwords. They may use the same password and email address for their porn account as they use for their local bitcoin account.

Hackers would have to run a program like OCL-Hashcat. Usually run a dictionary file of common passwords. The program hashes a password and compares it to your hash.
It takes a long time. Hashing algos like MD5 are not recommended anymore because they are too easy to process. Looks like a bcrypt algo you got there. That is a good one.

There are websites, one that was shut down called raidforums, it was replaced by breached.to. Where people share stolen databases. They also share combolists. Usernames along with the cracked passwords.

sarettah · 11-09-2022, 09:36 AM

Quote:

Originally Posted by Publisher Bucks

Good enough advice for me

They could have it saved in their browser.

So just do a regular reset/forgot password link it is

And they can go into their browser password manager and get it from there.

.

Kittens · 11-09-2022, 09:36 AM

No, you do not display the password in anyway possible. That is a security issue. The hash is one way, you do not unhash it to show them the real password "incase they want to change it"

You use the comparing functions to hash their input and compare it with what you have stored. If it comes back good, then you know they typed the right password.

That is all you use it for. Store the hash for retrieval and comparing on login. That's it, do not display it to them.

11-09-2022, 08:50 AM	#1
Publisher Bucks Confirmed User Industry Role: Join Date: Oct 2018 Location: New Orleans, Louisiana. / Newcastle, England. Posts: 1,116	Show logged in users password when using password_hash So I have a registration system setup for my employees, it allows them to update their information as needed however, it does not currently show their existing passsword, instead it shows a hash value. I'm using the following to add the password to the database: $password = password_hash($_POST['password'], PASSWORD_DEFAULT); Which displays something like this on their profile for their password: $2y$10$bUxrx6rFxS1AISpSCKgGXegQ0CeYMJCrCdUshxQhsjC mC5/yDTRIu Is there a way that I can unencode that stored variabe to show the logged in user what their password actually is on their profile page, instead of the hash, so they can then go ahead and change it if needed? Thanks. __________________ NOTHING TO SEE HERE

11-09-2022, 08:59 AM	#2
sarettah see you later, I'm gone Industry Role: Join Date: Oct 2002 Posts: 14,053	You don't want to do that. Just imho, of course. If the user does not know their password then how did they log into the system to get to the password change screen to begin with? . __________________ All cookies cleared!

11-09-2022, 09:36 AM	#6
Kittens 👏 REVOLUTIONARY 👏 Industry Role: Join Date: Jan 2016 Posts: 1,440	No, you do not display the password in anyway possible. That is a security issue. The hash is one way, you do not unhash it to show them the real password "incase they want to change it" You use the comparing functions to hash their input and compare it with what you have stored. If it comes back good, then you know they typed the right password. That is all you use it for. Store the hash for retrieval and comparing on login. That's it, do not display it to them. __________________