Password Encryption / Decryption

Wappler General How To
#1

I’ve watched the Videos https://www.dmxzone.com/go/32652/using-password-encryption-with-login and https://wapplerunwrapped.online/videoplayer.php?id=22 , also searched around the forum, but the Register + Login steps arent neat eplained together… So this below is not clear to me :slight_smile:

I need to SALT password or HASH them or Encrypt / Decrypt? ¨

As far as I know that “SALT KEY” can be anything and should kept secretly for generating the random passwords. But now I’m just getting everytime the same passwords hashed/salted for ALL users … pfff

  1. Register Form
  2. Get $password als cleartext and store it (Hashed, EncryptPassword, Salted???) ?

image
image.png838×244 6.97 KB

Then Login step would be:

  1. Login Form
  2. Get $password and compare it to stored value from DB and Encrypt or Hash or Salt it?

image

Maybe

Password hashing not working
#2

Can you please check what value have you used in your insert user (register) server action for the password insert?

#3

Here we go. Posted Screens. I’m irritated about the Function “EncryptPassword / Encryptpassword” … or I need SHA 256 thing ?

#4

You need the SHA thing :slight_smile:
Your logic is right for both of the steps. What if you remove the SHA thing from your insert step - are the passwords again the same?

#5

Watch this: https://www.learnwappler.com/creating-a-fully-secured-login-system-through-wappler/

Also, you need to HASH the passwords, not ENCRYPT. Encryption means the password can be decrypted.
Hashing work only one way. There is no way to extract the plain-text password.

2 Likes
#6

I know that it works only one way. So I need to “compare” the entered value from LOGIN password with the one which is “encrypted” in DB… But anyway with Rainbowtables it would be possible to crack some of these passwords, especially MD5 / SHA1 etc… Thats we need to to for SHA256 / SHA512 …

@nshkrsh thanx for the link, will check it out

#7

@Teodor and @nshkrsh okay it works like a Charm… I just forgot that I typed everytime the same password for new registered users, so that was the reason why the hash is always the same :smiley:

So amazing how it works, over my whole Website with changed login from cleartext to SHA256, without big changes. Thanx to that linked Security Provider and your good docus. Sometimes you don’t see the single tree if you work in a forest …

3 Likes
#8

Great news it’s working, Freddy! :slight_smile:

#9

@Teodor Maybe you got some ideas about my logging post ? :smiley:

#10

One question. Maybe @teodor or @Hyperbytes could help here as experienced DB freaks… As my project has already an existing user DB from the legacy project I see these values here:

OLD LEGACY USER DB :

image
image.png1065×232 18.1 KB

I’m wondering how to make a migration… ? I mean that $2y$10$ is everytime on the beginning of all passwords as I can see in the OLD DB structure. How could I handle that later? I mean I want that users have maybe same login as on the old shitty project. So they can just login onto the new Website. Any suggestions?

Or should I just add that strange $2y$10$ in front of my passwords?

MY NEW USER DB:

image
image.png1054×465 36.3 KB

#11

The old legacy user db doesn’t use sha256 hashes, it looks like it uses a bcrypt encrypted hash. https://bcrypt-generator.com/

1 Like
#12

hi patrick. Thank you! What would you suggest then? Tell all the existing users to create a new password…?

#13

There is no way for you to convert it. You need to use the old hashing method with the salt/key used there or all users have to reset there password so that new hashes are generated.

#14

My salt value is unique for each user, so how do I select this from the database rather than a set string?

#15

Hello Ray,
You are referring to the login step, right?
Where do you store the salt? Is it in the same table where your users are stored?

#16

Hi @Teodor,

Yes, that’s correct.

employees
employees.png812×44 3.09 KB

Previously I would do the following in Dreamweaver, strPassword =HashBytes(‘SHA2_512’,[charSalt] + ?)

      MM_loginSQL = "SELECT strEmail, strPassword"
      If MM_fldUserAuthorization <> "" Then MM_loginSQL = MM_loginSQL & "," & 
      MM_fldUserAuthorization
      MM_loginSQL = MM_loginSQL & " FROM dbo.tblEmployees WHERE strEmail = ? AND 
      strPassword =HashBytes('SHA2_512',[charSalt] + ?) AND intStatus = 1"
      Set MM_rsUser_cmd = Server.CreateObject ("ADODB.Command")
      MM_rsUser_cmd.ActiveConnection = MM_Connection15201_STRING
      MM_rsUser_cmd.CommandText = MM_loginSQL
     MM_rsUser_cmd.Parameters.Append MM_rsUser_cmd.CreateParameter("param1", 200, 1, 250, 
     MM_valUsername) ' adVarChar
     MM_rsUser_cmd.Parameters.Append MM_rsUser_cmd.CreateParameter("param2", 200, 1, 64, 
     Request.Form("textfield2")) ' adVarChar
     MM_rsUser_cmd.Prepared = true
    Set MM_rsUser = MM_rsUser_cmd.Execute

Thanks,
Ray.

#17

@Teodor, any info would be great on a solution to my salt values stored on the database.

Thanks.
Ray.

#18

@raymantle

You can get the salt from a query step, filtered by the user login (email/username) which he enters in the form and store it in a variable, which you can use in the login step for salt.
So before the login step add a database query step, set it up to return only the salt and setup the filter. Make sure Output option is turned off. After it, add a repeat step and this repeat step uses the query as an expression. Make sure the output option is turned off here as well.
Inside the repeat step add a Set Value step - add some name to it and as a value pick the salt returned. Output should be off here as well.

In the login step use the {{setvalueStepName}} as expression for the salt.

1 Like