SitePoint Sponsor

User Tag List

Results 1 to 16 of 16
  1. #1
    SitePoint Guru mmarif4u's Avatar
    Join Date
    Dec 2006
    Location
    /dev/swat
    Posts
    619
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Hashed passwords

    Hi,
    i am hashing the users passwords.
    Now i have a system where user register and pay online , After confirmation, our admin send
    password to that user.Password is automatically created while user is registering.
    So my q is : is there any possibility to send md5 or other hash passwords to users later when payment
    is confirmed.
    I know that its not possible. Is there any alternative for such kind of process.
    That i make the user password secure and also can send to users later.
    Note: i dont want to use two way encryption.

    Thanks

  2. #2
    SitePoint Evangelist praetor's Avatar
    Join Date
    Aug 2005
    Posts
    479
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It's possible , it's just a string .... but why ?!

  3. #3
    SitePoint Guru mmarif4u's Avatar
    Join Date
    Dec 2006
    Location
    /dev/swat
    Posts
    619
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by praetor View Post
    It's possible ,
    i did not get you.

  4. #4
    SitePoint Member
    Join Date
    Jun 2007
    Posts
    13
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    How about you do this.

    1.) Person registers.
    a.) You generate a password: i.e. abcde12345
    b.) You send them the password.
    c.) You do md5() on the password, and store it in the database.
    2.) Person logs in.
    a.) You do md5() on the password they enter, and match it against the checksum stored in the database.

  5. #5
    SitePoint Guru mmarif4u's Avatar
    Join Date
    Dec 2006
    Location
    /dev/swat
    Posts
    619
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Great idea.

    But the problem is not that.I want to store md5 password directly to the db when user registered.
    Now the prob is that may be we will send the password to the user after 1 or 2 days.
    So now the password is already hashed, Now pulling out that password and sending to the user is i think not possible.
    I need an alternative to hashed system.

  6. #6
    SitePoint Evangelist praetor's Avatar
    Join Date
    Aug 2005
    Posts
    479
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You store the hashed pwd as usual. The you store it in a special table, you send the pasword after a period an then you delete it from the special table. I guess you want to send the password only once as a reminder of registration.

  7. #7
    SitePoint Enthusiast
    Join Date
    May 2006
    Posts
    25
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    why not just have an extra field on the user table indicating if they have paid or not...meaning
    1. User registers
    2. You send them the password and md5() it to the db and make sure the record shows that they haven't paid yet.
    3. Admin confirms payment or whatever, then admin indicates on record that user paid, the user can get on with password given

  8. #8
    SitePoint Guru mmarif4u's Avatar
    Join Date
    Dec 2006
    Location
    /dev/swat
    Posts
    619
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    @praetor
    you mean to store unhashed pass in specail table.
    If so then it mean that the user account is not secured again bcoz some body know the db login than he can change the user inputs, logging to that user area in the site.

    @focusedpixel
    yeh i have two table for payment one is to store record about customer payment, amd the other one is to store that the user is new when our admin send pass to the user that field become old.

    I do all these things but the issue is hashing pass.

  9. #9
    SitePoint Enthusiast
    Join Date
    Mar 2002
    Location
    Whistler, Canada
    Posts
    51
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you don't want to store the password as plain text in another table for a couple of days, you could maybe try creating the mail with the plain text password before it's hashed, and use a script or include it in a cronjob to send the message after x hours. Just a thought.

    Hope this helps.

  10. #10
    SitePoint Guru mmarif4u's Avatar
    Join Date
    Dec 2006
    Location
    /dev/swat
    Posts
    619
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Your idea is nice, but i think not a perfect solution.

  11. #11
    SitePoint Addict
    Join Date
    Feb 2005
    Location
    Brisbane, Australia
    Posts
    306
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I assume that you are needing this to remind a user of their password in the event that they forget it. Is this correct?

    If so, there are three options that I can think of:

    Option 1: Store the password in plain text somewhere (which completely defeats the purpose of hashing it).

    Option 2: Use all of your server's resources to unhash the MD5 (yes, it is possible, it just takes some work).

    Option 3: Generate a new, randomised password, send that to the user via e-mail, and THEN hash the new password and overwrite the old one.

  12. #12
    SitePoint Enthusiast Chousho's Avatar
    Join Date
    Jun 2006
    Posts
    97
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by TheAnarchist View Post
    I assume that you are needing this to remind a user of their password in the event that they forget it. Is this correct?

    If so, there are three options that I can think of:

    Option 1: Store the password in plain text somewhere (which completely defeats the purpose of hashing it).

    Option 2: Use all of your server's resources to unhash the MD5 (yes, it is possible, it just takes some work).

    Option 3: Generate a new, randomised password, send that to the user via e-mail, and THEN hash the new password and overwrite the old one.
    As far as I know, you can't unhash a hash. What most people do is use a rainbow table, which is a program that generates letters A-ZZZZZZ and checks the hashing of each one against the hash you're checking for.

    If you store a hashed password, theoretically you can't get the password back from the hash. If you encrypt the password, you could decrypt it and send it to the user. However, decryption isn't as secure as hashing, as far as what I have read.


    How about you only don't generate the password or hash it until right before the email gets sent out. When the user account is made, some random string of text is set (as to prevent anyone from logging in as a random string has less chance of being a hash). When the user pays and gets their password, generate an actual password. Email them the password, and write the hash of it to the database.

  13. #13
    Keep it simple, stupid! bokehman's Avatar
    Join Date
    Jul 2005
    Posts
    1,935
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Just send the password immediately and tell them in the same email the account will be activated once the payment can be confirmed. (This wouldn't be necessary if you were using a proper payment service). Then all you need is a flag in your main table that states whether or not the account is active.
    Last edited by bokehman; Jul 14, 2007 at 18:27.

  14. #14
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by TheAnarchist View Post
    Option 2: Use all of your server's resources to unhash the MD5 (yes, it is possible, it just takes some work).
    It takes an array of super computers to even find an collision of an MD5 or SHA1 hash. To unhash is impossible. The only way to get the original data is brute force every possible combinations and match the checksums. Or a rainbow table if its unsalted. But no you can not actually unhash a hash.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  15. #15
    SitePoint Enthusiast Chousho's Avatar
    Join Date
    Jun 2006
    Posts
    97
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by bokehman View Post
    Just send the password immediately and tell them in the same email the account will be activated once the payment can be confirmed. (This wouldn't be necessary if you were using a proper payment service). Then all you need is a flag in your main table that states whether or not the account is active.
    So something like

    PHP Code:
    CREATE TABLE `user` (
      `
    useridint(11NOT NULL auto_increment,
      `
    namevarchar(255NOT NULL default '',
      `
    passwordvarchar(255NOT NULL default '',
      `
    activesmallint(7NOT NULL default '0',
      `
    saltvarchar(255NOT NULL default ''
    ) ; 
    And then set active to 1 when they pay?

    And since I feel adventurous:
    PHP Code:
    <html>
    <body>
    <?php 
    if ($_POST['paid']) {
      
    $paid intval($_POST['paid']);
      
    $sql = ("UPDATE `user` SET `active` = '$paid' WHERE `userid` = '$setvar'");
      echo 
    "User updated";
    }
    ?>
    <form action=<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
    <select name="paid">
        <option value="1">Active</option>
        <option value="2">Inactive</option>
    </select>
    </form>
    </body>
    </html>

  16. #16
    SitePoint Guru mmarif4u's Avatar
    Join Date
    Dec 2006
    Location
    /dev/swat
    Posts
    619
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for all who participate here and drop there valuable thoughts.

    @ bokehman I like your idea its nice and easy to implement.
    Cheers mate.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •