Password, hash, bcrypt

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Password, hash, bcrypt

robm
This post was updated on .
Something goes wrong, but... Let's go again.

Hi people.

I am getting envolved with Koha (19.05 on Debian 10) since last november. I am contributing in
translation too, and digging BD, and scripts... Right now I have a new
challenge: I need to know which method the system apply to encrypt
borrowers' passwords. I know that uses Bcrypt 8, but the stored encrypted
string does not match with typed string. Some clue???
Thanks in advance.




--
Sent from: http://koha.1045719.n5.nabble.com/Koha-general-f3047918.html
_______________________________________________
Koha mailing list  http://koha-community.org
Koha@lists.katipo.co.nz
https://lists.katipo.co.nz/mailman/listinfo/koha
Reply | Threaded
Open this post in threaded view
|

Re: Password, hash, bcrypt

Bernardo Gonzalez Kriegel-2
Hi Robm

I am getting envolved with Koha since last november. I am contributing in
> translation too, and digging BD, and scripts... Right now I have a new
> challenge: I need to know which method the system apply to encrypt
> borrowers' passwords. I know that uses Bcrypt 8, but the stored encrypted
> string does not match with typed string. Some clue???
>

What kind of match do you expect?

Try the following (using a Koha user shell) to see what an encrypted
password will look like

perl -e 'use Koha::AuthUtils qw ( hash_password ); $text = "clearpass";
$pass = hash_password( $text ); print "$text -> $pass\n";'

you will get something like

clearpass -> $2a$08$osRn3haIkwt2Lf3dAWAPt.aIpl/qRF7bNo1w4kVOmXZ09VzSwHmkC

Regards
Bernardo
_______________________________________________
Koha mailing list  http://koha-community.org
[hidden email]
https://lists.katipo.co.nz/mailman/listinfo/koha
Reply | Threaded
Open this post in threaded view
|

Re: Password, hash, bcrypt

robm
Hi Bernardo.

Let me explain because uncode/decode passwords is a sensitive subject. First
of all we know that is impossible reverse the password stored because bcrypt
is a one-way method. My needs is that I have a system, still in use, that
has some tools wroten by myself in php etc. They are to print labels,
meeting room agenda etc.

Me and my staff have access to this program by username & password, but I
would like to validate that access with username & password stored in Koha
db. So, all we would have just one account to manage.

But really thanks for your reply.

rob

P.S If we use a online Bcrypt generator (e.g.
https://www.browserling.com/tools/bcrypt), and put, like your example,
"clearpass" (using Rounds 8 - 'cause chars 03-05 is "$08" in encrypted
string) we get another result compared with Koha::AuthUtils. Why? Because
Koha has something more (a salt) that goes along with our phrase pass when
creating the hash (crypted string).



--
Sent from: http://koha.1045719.n5.nabble.com/Koha-general-f3047918.html
_______________________________________________
Koha mailing list  http://koha-community.org
[hidden email]
https://lists.katipo.co.nz/mailman/listinfo/koha
Reply | Threaded
Open this post in threaded view
|

Re: Password, hash, bcrypt

robm
Oooooooooooooooo!!!

I found it!

PHP has a function: password_verify() to this job!! A piace of a cake! ;-)

Regards!!

rob



--
Sent from: http://koha.1045719.n5.nabble.com/Koha-general-f3047918.html
_______________________________________________
Koha mailing list  http://koha-community.org
[hidden email]
https://lists.katipo.co.nz/mailman/listinfo/koha
Reply | Threaded
Open this post in threaded view
|

Re: Password, hash, bcrypt

Jonathan Druart
Hello Rob,

Here is what you were looking for:

use Modern::Perl;
use Koha::AuthUtils;
use C4::Auth;
# Generate the hash
my $hashed_pwd = Koha::AuthUtils::hash_password('Your password');
# Compare it with a new login
my $login_pwd = 'Your password';
say C4::Auth::checkpw_hash( $login_pwd, $hashed_pwd );
my $wrong_pwd = 'wrong';
say C4::Auth::checkpw_hash( $wrong_pwd, $hashed_pwd );

Regards,
Jonathan

Le jeu. 20 févr. 2020 à 20:06, robm <[hidden email]> a écrit :

>
> Oooooooooooooooo!!!
>
> I found it!
>
> PHP has a function: password_verify() to this job!! A piace of a cake! ;-)
>
> Regards!!
>
> rob
>
>
>
> --
> Sent from: http://koha.1045719.n5.nabble.com/Koha-general-f3047918.html
> _______________________________________________
> Koha mailing list  http://koha-community.org
> [hidden email]
> https://lists.katipo.co.nz/mailman/listinfo/koha
_______________________________________________
Koha mailing list  http://koha-community.org
[hidden email]
https://lists.katipo.co.nz/mailman/listinfo/koha
Reply | Threaded
Open this post in threaded view
|

Re: Password, hash, bcrypt

robm
Hi Jonathan.
Thank you.
But tell me: some special reason for not using the php function? Because
it's working ok ...




--
Sent from: http://koha.1045719.n5.nabble.com/Koha-general-f3047918.html
_______________________________________________
Koha mailing list  http://koha-community.org
[hidden email]
https://lists.katipo.co.nz/mailman/listinfo/koha
Reply | Threaded
Open this post in threaded view
|

Re: Password, hash, bcrypt

Jonathan Druart
If you are writing PHP code and that the function works as you expect,
then use it :)

Le ven. 21 févr. 2020 à 12:36, robm <[hidden email]> a écrit :

>
> Hi Jonathan.
> Thank you.
> But tell me: some special reason for not using the php function? Because
> it's working ok ...
>
>
>
>
> --
> Sent from: http://koha.1045719.n5.nabble.com/Koha-general-f3047918.html
> _______________________________________________
> Koha mailing list  http://koha-community.org
> [hidden email]
> https://lists.katipo.co.nz/mailman/listinfo/koha
_______________________________________________
Koha mailing list  http://koha-community.org
[hidden email]
https://lists.katipo.co.nz/mailman/listinfo/koha