http://laravelsnippets.com/snippets/gradually-migrating-passwo...
For security reasons, I'd migrate to hashes instead of just logging them in.
mack-hankins said:
http://laravelsnippets.com/snippets/gradually-migrating-passwo...
For security reasons, I'd migrate to hashes instead of just logging them in.
thanks for your responding mack but I already I have database with an existing data (big amount of data) and the passwords are encrypted in md5, so I can't change the encryption to bcrypt because other desktop systems access the same data
I found the solution : http://stackoverflow.com/questions/17710897/how-to-use-sha1-en...
You should really upgrade. You can even do it transparently and then when a low number of users are left, just force a switch via a reset password email to them.
MD5 is also hashing, not encrypting. Encryption means it can be decrypted back into plain-text, hashing is one-way. It is also really fast to attack, which leaves your database open for easy picking if (when) it gets lifted.
Switching hashing algorithms can be done transparently:
- When a user logs in (i.e. you have the plain text), create 2 hashes: one md5 hash and one sha1 (or whatever) hash.
- compare the hash in the database to BOTH of your generated hashes to see if login credentials is correct
- IF they are correct, not only log the user in, but upgrade their password field and set it to the new, better hash.
Users won't notice, and when they log in the next time they get the improved security automatically.
This is my solution, which don't need and plugin or extension.
May I just add that both MD5 and SHA1 are not considered secure hashes against brute-force attacks in the modern era, especially if you are not salting passwords.
Also, whilst the scheme of switching passwords transparently is attractive (I've been forced to do it once myself, also to migrate from MD5), there is the hidden danger of timing attacks against a user. Basically, you can almost always tell which hash was used, just by the length of the string since they have fixed size outputs. If I provide a candidate password to the system whilst its in transition, unless you're extremely careful about how you're comparing the password, the time you take to compare them can be significantly different depending on whether its an MD5 password or not.
As @Langdi suggests, its better to create both hashes all the time whilst switching. I'd add that you should compare to both hashes, even if the first one matches and use a timing attack resistant hash comparison function like hash_compare().
/**
* @param $credentials
*
* @return bool
*/
private function attempt($credentials)
{
if ( ! isset( $credentials['password'] ) or ! isset( $credentials['email'] )) {
return false;
}
$user = User::whereEmail($credentials['email'])
->wherePassword(md5($credentials['password']))
->first();
if ($user) {
Auth::login($user);
}
return $user;
}
Sign in to participate in this thread!
Laravel
Laravel News
Laracasts
Laravel Podcast