open.mp forum   ›   General   ›   Programming   ›   Having problems with SHA1 storing and loading password

  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Having problems with SHA1 storing and loading password
Th3CrazzyRabbit
Burgershot Member
Joined: Apr 2020
Posts: 3

Reputation: 0

Location: Albania
#1
2020-04-18, 09:56 PM
Well to be honest its first time a costumer asked me for a SHa1 store and load from database as its not that safe anymore , myself i use bcrypt all the time.



However im trying to come together with this? login / signup system and at signup everything works perfectly , sha1 encrypts it and stores it to the database



Now the issue its the loading from database , even tho i write the same password it still doesnt work



this is the code from loading the Sha1



PHP Code:
$hashpass sha1($userpass);

 ? ? ? ? ? ? ? ?if (password_verify($hashpass$row['password']))

? ? ? ? ? ? ? ?{

? ? ? ? ? ? ? ? ? ?session_start();

? ? ? ? ? ? ? ? ? ?$_SESSION['userid'] = $row['Master_ID'];

? ? ? ? ? ? ? ? ? ?header("Location:../index.php?login:sucess");

? ? ? ? ? ? ? ?}

? ? ? ? ? ? ? ?else{

? ? ? ? ? ? ? ? ? ?header("Location:../login.php?error:wrongpassword");

? ? ? ? ? ? ? ? ? ?exit();

? ? ? ? ? ? ? ?} 







Storing



PHP Code:
$hashedpass sha1($password);

 ? ? ? ? ? ? ? ? ? ? ? ?mysqli_stmt_bind_param($stmt"sss"$username$email$hashedpass);

? ? ? ? ? ? ? ? ? ? ? ?mysqli_stmt_execute($stmt);

? ? ? ? ? ? ? ? ? ? ? ?header("Location:../index.php?Signup:Sucessful"); 





Help me pelase , i really need this.
  Reply
BigETI
open.mp Developer
*******
Joined: Feb 2019
Posts: 107

Reputation: 12

Location: Germany
#2
2020-04-18, 10:25 PM (This post was last modified: 2020-04-19, 11:40 AM by BigETI.)
You have three options:

1. Tell your customer to migrate to a safer users system

2. Tell your customer to fuck off

3. (not recommended at all) Actually read the documentation of `password_verify` to find out that it can't be used in that context. Do a string comparison of the stored hash and hashed input. This method is very unsafe and you are literally playing with user passwords. THIS IS NOT RECOMMENDED AT ALL!
[Image: github-samp-icon.png]
  Website
  Reply
Y_Less
Administrator
*******
Joined: Feb 2019
Posts: 337

Reputation: 105
#3
2020-04-18, 11:10 PM
Presumably your client hired you as an expert. In which case, tell them the problems and use a good system.
  Reply
Th3CrazzyRabbit
Burgershot Member
Joined: Apr 2020
Posts: 3

Reputation: 0

Location: Albania
#4
2020-04-18, 11:20 PM
To be honest i have told him 3 times not only once but he wants to stick with sha1 and there's nothing i can do , if thats what he wants i have to do it



i told him that even if his database gets leaked , theres websites online that can reverse the hash code so no idea , just help me out if you can
  Reply
Y_Less
Administrator
*******
Joined: Feb 2019
Posts: 337

Reputation: 105
#5
2020-04-19, 11:40 AM (This post was last modified: 2020-04-19, 11:40 AM by Y_Less.)
I'm not going to help you do a potentially dangerous thing. The problem isn't your job, or your client's lack of understanding. The problem is their customers using that system with no idea of how unsafe it is. They are the people I'm concerned about.
  Reply
Th3CrazzyRabbit
Burgershot Member
Joined: Apr 2020
Posts: 3

Reputation: 0

Location: Albania
#6
2020-04-19, 12:19 PM
Its okay , i've already canceled the work with him unless he updates the system to bcrypt , thank you.
  Reply


Forum Jump: