Using passwords with SHA256


#1

I have a user register form, which works absolutely fine when using a text password.
However as soon as I add SHA256 onto the password inserted into the database, when you try and log on it gives unauthorised using the password.
Is there something on the login password field I need to add so it knows that its SHA256 ? or am I barking up the wrong tree?


#2

You should add the same sha25 formatter to the login input in the login step, using the same salt, as the one used for insert user step.

Also your database field needs to be able to store 64 characters.

Example:

Insert step:

Login step:


#3

Yeah I have done that @Teodor but I have an auto login form after a confirmation link which gets the password from the DB and auto logs in.
So I have added that and each time now is gives a 401 (Unauthorised)
Works fine when its a text input


#4

Is the password you are getting already the hashed version?


#5

so in the database it has the password masked for example: 95ad04efdbebc086303e93c557febd8ca9ba7346e83cadc30b7219fbcdc2d4ea

in the login form I have:
{{$_GET.password.sha256(“Peter666!@!”)}}

But still does not authorise me to get in


#6

I am a bit confused now, you said that:

Now you say:

Are you using a login form or no?


#7

If you have a look at https://wappler.buysellipsc.com.au/index.php

register yourself and it will send you an email. If you click that link it will confirm your address and then it should log you in automatically. But this is where it is falling over when I use SHA256.
Works fine when password is text.


#8

What steps and values are you using for this auto-login then?
If it “fails” when you are using sha256 for the auto login then some value somewhere is not the same as in the register action, where you save the hashed password in the database.
Please provide some screenshots where i can see:

  1. Register step password value
  2. Auto log in action steps
  3. Auto log in password value

#9

Hope that makes sense.


#10

What is your first screenshot showing exactly? What are both values there?
Where is the GET.password coming from on your second screenshot?


#11

If you are using the already hashed password from your database (by filtering the query and returning it) to auto-log users in, then you should not add sha256 to the login step … the password is already hashed.


#12

@Teodor that did, I took the SHA256 off the auto login input and I flys through… happy days :slight_smile:


#13

Right, it makes no sense to hash it again as the result will be totally different from the one stored in your db, and then the login will always fail.