Develop Reference

How to hash realmdb password

I want to create/update realmdb password on path __password.
I cannot find clear documentation about it, i just explore realm studio and realmdb graphql API.
From realm studio i found salt, digest (sha512), and hash.
From that key i produce sha512 hash with https://www.convertstring.com/Hash/SHA512.
the problem is, character length from sha512 just 128 character. i tried to compare with other hash password, they have 684 character.
the other key i found inside path __password such as iterations and keyLength, i don't know what that for.
actually i can use this API for create user.
Realm.Sync.User.login([**serverURL**],Realm.Sync.Credentials.usernamePassword([**username**], [**password**], true));
but i want to update password too. there is no documentation about changing password.
the question is :
How i can produce sha512 with output 684 character ?
How to update realm password directly to path __password ?
What is best practice to update user password ?

Firebase authentication: What do the scrypt password hash parameters mean?

what are the functions of different parameters in firebase authentication
I searched the internet to get the information of the these parameters, but I was unsuccessful. What is the difference between rounds and mem_cost?What does Bw== in salt seperator mean
hash_config {
algorithm: SCRYPT,
base64_signer_key: jxspr8Ki0RYycVU8zykbdLGjFQ3McFUH0uiiTvC8pVMXAn210wjLNmdZJzxUECKbm0QsEmYUSDzZvpjeJ9WmXA==,
base64_salt_separator: Bw==,
rounds: 8,
mem_cost: 14,
}

Firebase Authentication uses an internal version of the scrypt password-based key derivation function to hash account passwords.
Unique hash parameters are generated for each Firebase project. These may be viewed in:
Firebase Console > Authentication > Users
Select Password Hash Parameters from the drop down in the upper-right hand corner of the users table.
Firebase Scrypt Parameters
algorithm - SCRYPT
base64_signer_key - The public key of the signer
base64_salt_separator - The separator to use when concatenating the hash with the salt
rounds - The blocksize parameter, which fine-tunes sequential memory read size and performance. An integer between 0 and 120000 (inclusive).
mem_cost - The memory cost. An integer between 1 and 14 (inclusive)
Additional Resources
Firebase Authentication Password Hashing
stackoverflow: What are optimal scrypt work factors?
The Scrypt Parameters

hash_config {
algorithm: SCRYPT,
base64_signer_key: ecUEAYeNIvBmRWc+TvdNG+EaHzoABQnQeDWLva2/Onb2iTTxVDTUZ7KdXlQpxD7pVmcM9LR6L9QzCnI8mjR64A==,
base64_salt_separator: Bw==,
rounds: 8,
mem_cost: 14,
}

Symfony 3 - Firewall Listener Performance at Login

Replied to my own question and posted it here for reference to others.
Setup
My application is really fast out of the box, running:
Symfony 3 with Doctrine2
PHP 5.6.* with CGI/FastCGI as a PHP handler (not even php 7)
mySQL 5.6.*
Then, it is optimised further with:
Zend OpCache to get faster PHP execution through opcode caching and optimization
Memcached to store user sessions in memcached
Memcached to act as a metadata cache driver and a query cache driver for doctrine 2
The bottleneck
However, one route is very slow and that is the fos_user_security_check route when I authenticate via the login form.
It shows Symfony\Bundle\SecurityBundle\EventListener\FirewallListener as the culprit - though I am not sure why that is because this route lights up quickly on my local machine but doesn't on my production machine.
Things that I have tried
[x] To use Memcached to cache PHP sessions -> no difference
[x] To use Memcached to cache Doctrine stuff -> no difference
[x] To run mysql with skip-name-resolve -> no difference
Related posts I have seen
SecurityBundle Configuration ("security")
What is the Symfony Firewall doing that takes so long?
Why does the Symfony 2 firewall take so long to load?

Two words!! "Encryption Algorithm".
There is a compromise between 'speed' and 'security'.
See Using the pbkdf2 Encoder Security and Speed.
An example to show how 2 different encryption may affect speed.
Configuration A:
# Login in 3.5s in my case
security:
FOS\UserBundle\Model\UserInterface:
# . Use `bcrypt` algorithm
algorithm: bcrypt
cost: 13
Configuration B:
# Login in 400ms in my case
security:
FOS\UserBundle\Model\UserInterface:
# . Use `pdkdf2` algorithm
algorithm: pbkdf2
hash_algorithm: sha512
encode_as_base64: true
iterations: 1000
key_length: 40
Note, you will have to recreate your user in your database to test different encryption mechanisms.
This explains:
... this route lights up quickly on my local machine but doesn't on my production machine.
My local machine has a Intel Core i7-7820HQ # 2.90GHz
My production machine has a Intel Xeon E5-2620 v2 # 2.10GHz

Does ASP.NET use SHA256 or SHA1?

I'm using the default identity stuff provided by ASP.NET 4.5 MVC and Entity Framework. I can create users with passwords and the hashed password shows up in the database. I'm trying to figure out if that hash is generated using the no-longer-trusted SHA1 algorithm or the SHA2 algorithm (be it SHA256, SHA512, etc).
Articles which seem to say it defaults to SHA256:
https://www.asp.net/whitepapers/aspnet4/breaking-changes#0.1__Toc256770148
http://kosmisch.net/Blog/DotNetEssential/Archive/2015/2/1/aspnet-membership-default-password-hash-algorithms-in-net-4x-and-previous-versions.html
Articles which seem to say it defaults to SHA1:
https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/consumer-apis/password-hashing
https://msdn.microsoft.com/en-us/library/system.security.cryptography.rfc2898derivebytes.aspx
When I follow the chain down, I end up inside the PasswordHasher.cs class -> HashPassword() -> Crypto.HashPassword() which I can see is using Rfc2898DeriveBytes which then has a bunch of stuff about HMACSHA1.
So are my passwords getting hashed by SHA256 or SHA1? Easy way to default to SHA256?
If it helps, here is a dummy password taken from my local environment:
AIPfkvy5v59jmVZdPpU9QfUMoToCQ+Rp3dBT7m9RwMKZai5/61REkN/0InCtxKPUOQ==

So it looks like the answer is neither exactly:
From the comments in the ASP.Net Identity Source Code
Version 0:
PBKDF2 with HMAC-SHA1, 128-bit salt, 256-bit subkey, 1000 iterations.
See also: SDL crypto guidelines v5.1, Part III)
Format: { 0x00, salt, subkey }
Ultimately the hashing algorithim is SHA1, but it is not a simple SHA1 hash of the password, or even a SHA1 + salt hash.
It is worth pointing out that SHA1 is considered "broken" for digital signatures due to a mathematical attack, reducing the computational effort of generating a collision to just-about feasible levels.
This does not apply to hashed passwords.
Links for further reading.
Is SHA-1 secure for password storage?
https://www.schneier.com/blog/archives/2005/02/sha1_broken.html
https://en.wikipedia.org/wiki/PBKDF2
https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
Rfc2898DeriveBytes and HMACSHA1

Authenticating against a Database. Hashing a password

How do I hash a password to store it in DB if bcrypt is used as algorithm?
security:
encoders:
Hoax\PartnerBundle\Entity\Partner:
algorithm: bcrypt
I tried this code, but it returns different results all the time:
$factory = $this->get('security.encoder_factory');
$user = new Hoax\PartnerBundle\Entity\Partner();
$encoder = $factory->getEncoder($user);
$password = $encoder->encodePassword('ryanpass', $user->getSalt());
$user->setPassword($password);

I am not too familiar with bcrypt, but the symfony docs give you the answer to your question. And although it is best practice in most cases to use the Symfony2 salt method, it looks like bcrypt incorporates the salt into the password. Read the bcrypt section of the symfony docs.
A salt for each new password is generated automatically and need not be persisted. Since an encoded password contains the salt used to encode it, persisting the encoded password alone is enough.
This is why the password is different each time. The hash itself already has the salt stored in there. So the password 'password' will have a different hash each time it is 'bcrypt'ed because it includes the salt