I need to SALT password or HASH them or Encrypt / Decrypt? ¨
As far as I know that “SALT KEY” can be anything and should kept secretly for generating the random passwords. But now I’m just getting everytime the same passwords hashed/salted for ALL users … pfff
Register Form
Get $password als cleartext and store it (Hashed, EncryptPassword, Salted???) ?
You need the SHA thing
Your logic is right for both of the steps. What if you remove the SHA thing from your insert step - are the passwords again the same?
Also, you need to HASH the passwords, not ENCRYPT. Encryption means the password can be decrypted.
Hashing work only one way. There is no way to extract the plain-text password.
I know that it works only one way. So I need to “compare” the entered value from LOGIN password with the one which is “encrypted” in DB… But anyway with Rainbowtables it would be possible to crack some of these passwords, especially MD5 / SHA1 etc… Thats we need to to for SHA256 / SHA512 …
@Teodor and @nshkrsh okay it works like a Charm… I just forgot that I typed everytime the same password for new registered users, so that was the reason why the hash is always the same
So amazing how it works, over my whole Website with changed login from cleartext to SHA256, without big changes. Thanx to that linked Security Provider and your good docus. Sometimes you don’t see the single tree if you work in a forest …
One question. Maybe @teodor or @Hyperbytes could help here as experienced DB freaks… As my project has already an existing user DB from the legacy project I see these values here:
I’m wondering how to make a migration… ? I mean that $2y$10$ is everytime on the beginning of all passwords as I can see in the OLD DB structure. How could I handle that later? I mean I want that users have maybe same login as on the old shitty project. So they can just login onto the new Website. Any suggestions?
Or should I just add that strange $2y$10$ in front of my passwords?
There is no way for you to convert it. You need to use the old hashing method with the salt/key used there or all users have to reset there password so that new hashes are generated.
You can get the salt from a query step, filtered by the user login (email/username) which he enters in the form and store it in a variable, which you can use in the login step for salt.
So before the login step add a database query step, set it up to return only the salt and setup the filter. Make sure Output option is turned off. After it, add a repeat step and this repeat step uses the query as an expression. Make sure the output option is turned off here as well.
Inside the repeat step add a Set Value step - add some name to it and as a value pick the salt returned. Output should be off here as well.
In the login step use the {{setvalueStepName}} as expression for the salt.