GoFuckYourself.com - Adult Webmaster Forum

GoFuckYourself.com - Adult Webmaster Forum (https://gfy.com/index.php)
-   Fucking Around & Business Discussion (https://gfy.com/forumdisplay.php?f=26)
-   -   Tech Show logged in users password when using password_hash (https://gfy.com/showthread.php?t=1359133)

Publisher Bucks 11-09-2022 08:50 AM
Show logged in users password when using password_hash
 
So I have a registration system setup for my employees, it allows them to update their information as needed however, it does not currently show their existing passsword, instead it shows a hash value.

I'm using the following to add the password to the database:

$password = password_hash($_POST['password'], PASSWORD_DEFAULT);

Which displays something like this on their profile for their password:

$2y$10$bUxrx6rFxS1AISpSCKgGXegQ0CeYMJCrCdUshxQhsjC mC5/yDTRIu

Is there a way that I can unencode that stored variabe to show the logged in user what their password actually is on their profile page, instead of the hash, so they can then go ahead and change it if needed?

Thanks.

sarettah 11-09-2022 08:59 AM
You don't want to do that. Just imho, of course.

If the user does not know their password then how did they log into the system to get to the password change screen to begin with?



.

Publisher Bucks 11-09-2022 09:08 AM
Quote:
Originally Posted by sarettah (Post 23059975)
You don't want to do that. Just imho, of course.
Good enough advice for me :thumbsup

Quote:
If the user does not know their password then how did they log into the system to get to the password change screen to begin with?
.
They could have it saved in their browser.

So just do a regular reset/forgot password link it is :thumbsup

lezinterracial 11-09-2022 09:35 AM
Quote:
Originally Posted by sarettah (Post 23059975)
You don't want to do that. Just imho, of course.


.
:thumbsup Yea, Just do a password reset. They make hashes one way, you can't decode. So, if your database ever gets compromised there aren't a bunch of compromised passwords out there. People still reuse passwords. They may use the same password and email address for their porn account as they use for their local bitcoin account.

Hackers would have to run a program like OCL-Hashcat. Usually run a dictionary file of common passwords. The program hashes a password and compares it to your hash.
It takes a long time. Hashing algos like MD5 are not recommended anymore because they are too easy to process. Looks like a bcrypt algo you got there. That is a good one.

There are websites, one that was shut down called raidforums, it was replaced by breached.to. Where people share stolen databases. They also share combolists. Usernames along with the cracked passwords.

sarettah 11-09-2022 09:36 AM
Quote:
Originally Posted by Publisher Bucks (Post 23059984)
Good enough advice for me :thumbsup



They could have it saved in their browser.

So just do a regular reset/forgot password link it is :thumbsup


And they can go into their browser password manager and get it from there.

.

Kittens 11-09-2022 09:36 AM
No, you do not display the password in anyway possible. That is a security issue. The hash is one way, you do not unhash it to show them the real password "incase they want to change it"

You use the comparing functions to hash their input and compare it with what you have stored. If it comes back good, then you know they typed the right password.

That is all you use it for. Store the hash for retrieval and comparing on login. That's it, do not display it to them.


All times are GMT -7. The time now is 04:06 AM.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc