I have one important question about the import of users into firebase authentication. My old system contains users passwords in md5 hash format. I used php md5 function to take the hash of passwords. Now the problem is that while importing the user through firebase command line, firbase import command requires the number of rounds used during md5 hash, but php don't provide any information about that. As a result user password don't match after import. Kindly help me to get rid of that problem. I am waiting for your kind response.
If you're using PHP built-in md5 function like md5($passwrd), base64 encode it and set as passwordHash field in accounts file. Then set rounds to 0.
Example:
Suppose I have a password string which is "Hello", I can get the base64 encoded md5 hash string like below.
php > $pwd = "Hello";
php > echo base64_encode(md5($pwd));
OGIxYTk5NTNjNDYxMTI5NmE4MjdhYmY4YzQ3ODA0ZDc=
Use the generated OGIxYTk5NTNjNDYxMTI5NmE4MjdhYmY4YzQ3ODA0ZDc= as passwordHash filed. Then run auth:import with MD5 hash-algo and 0 rounds. I manually verified it can work.
Related
I am learning about hashing and encryption and can’t seem to understand this:
Client: New user logs in => Creates password => Sent to a server in plain text
Server: Server generates a random "salt" => plain text and salt are unified => Hash function (e.g. SHA-3) hashes the password+salt into a hash => Hash is stored in DB.
Client: Same user logs out and logs in => Password sent to a server in plain text.
Server: Password needs to re-add the same salt it generated when creating the account to get the same hash.
How does the server generate that same random and unique salt?
Is the salt stored on a different DB altogether?
If a DB is compromised the hackers would also gain access to the salt and just brute force rainbow tables with the salt and unhash them.
The salt that was randomly generated must be stored in the database and linked to the user that logged in. It could be simply added as another column in the user table.
In a typical setting, the salt and the password (or its version after
key stretching) are concatenated and processed with a cryptographic
hash function, and the output hash value (but not the original
password) is stored with the salt in a database
Source: https://en.wikipedia.org/wiki/Salt_(cryptography) retrieved 19/02/21
The generation of the salt depends on which technology you are using. The following stack overflow answer has an example for PHP:
Can we use uniqid() to generate a unique Salt in PHP
The password should also never be sent in plain text to the server. This can be done via HTTPS for example
When the user logs in again. The password is sent to server side along with email.
The email is used to fetch the user record and then the Hash value saved against that email is compared with the new hash (salt + password entered).
The validate function method matches the 2 different hash values and checks if password entered was same or not.
For example, I am using bcrypt in Node JS and it has a method compareSync which matches the entered password with the saved hash
bcrypt.compareSync(password, databaseHash);
I want to create/update realmdb password on path __password.
I cannot find clear documentation about it, i just explore realm studio and realmdb graphql API.
From realm studio i found salt, digest (sha512), and hash.
From that key i produce sha512 hash with https://www.convertstring.com/Hash/SHA512.
the problem is, character length from sha512 just 128 character. i tried to compare with other hash password, they have 684 character.
the other key i found inside path __password such as iterations and keyLength, i don't know what that for.
actually i can use this API for create user.
Realm.Sync.User.login([**serverURL**],Realm.Sync.Credentials.usernamePassword([**username**], [**password**], true));
but i want to update password too. there is no documentation about changing password.
the question is :
How i can produce sha512 with output 684 character ?
How to update realm password directly to path __password ?
What is best practice to update user password ?
I have implemented a client-server based app where each client is represented by a PLAIN-TEXT email (since i have to interact with users via email sometimes)
The client sends its email as md5-encoded string (weakness of md5 is another topic but not relevant for the question.
I am searching for a xquery-statement to retrieve the plain-text from the xml doc, having its encryption.
In SQL it would be something like select * from db where MD5(db.email)==email
BaseX has a hash: XQuery module, which also contains an MD5 function hash:md5($value as xs:anyAtomicType) as xs:base64Binary.
Your query will be something similar to //user[#email eq hash:md5($email)].
I am trying to decrypt a set of files with GnuPG, for which I already have the username and password. However, I cannot seem to be able to do so, even though I have generated a new key with the given credentials. When trying to run
gpg --output result.sc --decrypt myFile.sc.xz.gpg
I get:
gpg: encrypted with RSA key, ID 3662FD5E
gpg: decryption failed: No secret key
I am wondering, which are the steps in decrypting with GnuPG? I followed the instructions here http://linoxide.com/security/gpg-comand-linux-how-to-encrypt-and-decrypt-file/, but still did not get it to work. I have no other key given except for these credentials.
You're missing the private key with 3662FD5E.
I have no other key given except for these credentials.
Without this key, you cannot decrypt the file. The password you have might protect the private key, but without the private key, there's definitely no way to decrypt the file (unless in future, a way is found to crack the encryption, but as of now, pretty much all relevant and actually used algorithms in OpenPGP are believed to be secure).
even though I have generated a new key with the given credentials
Keys are generated from random numbers, you cannot generate the same key again, also when using the same user ID and password.
I'm creating a small service using api-libraries, such as Twitter. Is it possible to input users password to Twitter-api crypted. I would not like to store peoples passwords uncrypted on my server, but writing them every time is annoying.
Does someone know?
Martti Laine
You should consider using OAuth.
Here are some examples.
If you're using PHP you can use the GnuPG extension to easily encrypt any credentials on your side, and decrypting them before making the API calls.
Here's a check list of things you need:
make sure gpg is installed on your system;
create a gpg key pair and store the files on a safe location;
optionally password protect the generated private key;
use PHP's GnuPG extension to encrypt and decrypt data using those keys.
Here's a small PHP example, taken from the gnupg_encrypt() manual:
<?php
$res = gnupg_init();
gnupg_addencryptkey($res,"8660281B6051D071D94B5B230549F9DC851566DC");
$enc = gnupg_encrypt($res, "just a test");
echo $enc;
?>
This technique should also be applied even if you're using OAuth or other password-less authentication method. A common mistake is to use OAuth and not encrypt locally saved tokens as access to those tokens might give anyone the power to act on behalf of the user.