Anyx Posted November 23, 2022 Share Posted November 23, 2022 7 hours ago, Mahtab Hassan said: nah I'm not going to add login system Why, though? It would be useful. What has made you decide against it? 7 hours ago, TinkerMan said: SHA is not designed to encrypt passwords, you should use ByCrypt or that other algorithm that starts with an a but I forget it’s name. Argon2id? Quote Link to comment Share on other sites More sharing options...
hello Posted November 24, 2022 Author Share Posted November 24, 2022 13 hours ago, Mahtab Hassan said: encryption key is only used in encrypting ssl files MOFH-R also use salting system. different hashing algorithms are used in MOFH-R. sha256 is used to encrypt passwords. Can the encryption key be any thing I want to put it as or what is it for? What is the salt that is added to it, like everytime I make an account with the same password, the hash is the same. Quote Link to comment Share on other sites More sharing options...
Mahtab Hassan Posted November 24, 2022 Share Posted November 24, 2022 1 hour ago, hello said: Can the encryption key be any thing I want to put it as or what is it for? What is the salt that is added to it, like everytime I make an account with the same password, the hash is the same. if you compare your password hash with a normal sha256 hash of the same string used for your password. you will see the difference Quote Link to comment Share on other sites More sharing options...
Mahtab Hassan Posted November 24, 2022 Share Posted November 24, 2022 7 hours ago, Anyx said: Why, though? It would be useful. What has made you decide against it? in Xera admin account uses a session for being logged in meanwhile user account uses cookie for being logged in. but in MOFH-R Both accounts uses cookie and a role cookie as well which will be overwritten if you logged as a user and will need to logout and login again to access admin panel. Quote Link to comment Share on other sites More sharing options...
hello Posted November 24, 2022 Author Share Posted November 24, 2022 @Mahtab HassanCan people hack it and use the cookie to login? And is there no way to login to the users account? Or maybe you could change it to a session? Also what is the salt? Where can I find it in the code if I wanted to change the salt? Quote Link to comment Share on other sites More sharing options...
Mahtab Hassan Posted November 24, 2022 Share Posted November 24, 2022 27 minutes ago, hello said: @Mahtab HassanCan people hack it and use the cookie to login? And is there no way to login to the users account? Or maybe you could change it to a session? Also what is the salt? Where can I find it in the code if I wanted to change the salt? you can find it in app/config/constants.php Quote Link to comment Share on other sites More sharing options...
Mahtab Hassan Posted November 24, 2022 Share Posted November 24, 2022 28 minutes ago, hello said: @Mahtab HassanCan people hack it and use the cookie to login? And is there no way to login to the users account? Or maybe you could change it to a session? nah they can't hack but the system verifies that if the login token match with the details given in the user account and verifies if the user have the same role defined in the cookie. when an admin login to user account then admin will automatically logs out and the admin will be logged in as client account but if admin want to login his account he will need to logout first and login to admin account again. Quote Link to comment Share on other sites More sharing options...
hello Posted November 24, 2022 Author Share Posted November 24, 2022 @Mahtab HassanWould it be possible if you make a button to sign into their account but log out of the admin? Because it would be better than nothing. Also is this the salt line? defined('HASH_SALT') OR define('HASH_SALT', 'salt'); And 'salt' is the salt that is added? Quote Link to comment Share on other sites More sharing options...
hello Posted November 24, 2022 Author Share Posted November 24, 2022 I tried encrypting passwordsalt saltpassword salt:password it didnt come out as the same a MOFH-R hashing result Quote Link to comment Share on other sites More sharing options...
Mahtab Hassan Posted November 25, 2022 Share Posted November 25, 2022 4 hours ago, hello said: I tried encrypting passwordsalt saltpassword salt:password it didnt come out as the same a MOFH-R hashing result MOFH-R hash a string at least 25 times. each time it includes hashed_string and hash_salt. so the results would be probably different. Quote Link to comment Share on other sites More sharing options...
hello Posted November 25, 2022 Author Share Posted November 25, 2022 (edited) @Mahtab HassanBut is the salt 'salt'? defined('HASH_SALT') OR define('HASH_SALT', 'salt'); salt is the salt that is default right? and its added at the front or back am i right? and if i hash a password it comes out as 'somerandomhash' and then it hashes 'somerandomhash' to something else am i right? Edited November 25, 2022 by hello Quote Link to comment Share on other sites More sharing options...
Mahtab Hassan Posted November 25, 2022 Share Posted November 25, 2022 1 hour ago, hello said: @Mahtab HassanBut is the salt 'salt'? defined('HASH_SALT') OR define('HASH_SALT', 'salt'); salt is the salt that is default right? and its added at the front or back am i right? and if i hash a password it comes out as 'somerandomhash' and then it hashes 'somerandomhash' to something else am i right? according to MOFH-R when hashing first time it will hash $hash = hash('sha256', $string.':'.HASH_SALT); after that following code will run $hash = hash('sha256', $hash.':'.HASH_SALT); this code will be repeated 24 times and after that function will return the last generated hash Quote Link to comment Share on other sites More sharing options...
hello Posted November 27, 2022 Author Share Posted November 27, 2022 On 11/25/2022 at 5:54 PM, Mahtab Hassan said: according to MOFH-R when hashing first time it will hash $hash = hash('sha256', $string.':'.HASH_SALT); after that following code will run $hash = hash('sha256', $hash.':'.HASH_SALT); this code will be repeated 24 times and after that function will return the last generated hash @Mahtab HassanIs this correct? If the password is 'hello' for example. the hash would be $hash = hello:salt I think 'salt' is the default salt am I right? Then the output would be 0b3dddae2edc23b7e9bbcab5a952481894a3b7f749aa1396a32c59b77ca3df53 Then it will do $hash = 0b3dddae2edc23b7e9bbcab5a952481894a3b7f749aa1396a32c59b77ca3df53:salt Then that process would be repeated 24 times. ----------------------- Or is it $hash = sha256hello:salt Thanks Quote Link to comment Share on other sites More sharing options...
hello Posted November 27, 2022 Author Share Posted November 27, 2022 @Mahtab HassanI think I found out the pattern. I used python to try the code and it came out with the same result. Thanks, also if I want to change 24 times where can I find that Quote Link to comment Share on other sites More sharing options...
hello Posted November 27, 2022 Author Share Posted November 27, 2022 @Mahtab HassanI made a code to decrypt the hash somehow Quote Link to comment Share on other sites More sharing options...
Mahtab Hassan Posted November 27, 2022 Share Posted November 27, 2022 3 hours ago, hello said: @Mahtab HassanIs this correct? If the password is 'hello' for example. the hash would be $hash = hello:salt I think 'salt' is the default salt am I right? Then the output would be 0b3dddae2edc23b7e9bbcab5a952481894a3b7f749aa1396a32c59b77ca3df53 Then it will do $hash = 0b3dddae2edc23b7e9bbcab5a952481894a3b7f749aa1396a32c59b77ca3df53:salt Then that process would be repeated 24 times. ----------------------- Or is it $hash = sha256hello:salt Thanks the one you described first is right Quote Link to comment Share on other sites More sharing options...
Mahtab Hassan Posted November 27, 2022 Share Posted November 27, 2022 2 hours ago, hello said: @Mahtab HassanI think I found out the pattern. I used python to try the code and it came out with the same result. Thanks, also if I want to change 24 times where can I find that in app/helpers/hash_helper.php Quote Link to comment Share on other sites More sharing options...
Mahtab Hassan Posted November 27, 2022 Share Posted November 27, 2022 1 hour ago, hello said: @Mahtab HassanI made a code to decrypt the hash somehow can you tell me? Quote Link to comment Share on other sites More sharing options...
hello Posted November 27, 2022 Author Share Posted November 27, 2022 @Mahtab HassanHere? Well, it takes a long time. It tries all possible combinations and when hash = targethash then I found password. People cant find out the parttern tho if you have changed the stuff Quote Link to comment Share on other sites More sharing options...
Mahtab Hassan Posted November 27, 2022 Share Posted November 27, 2022 2 hours ago, hello said: @Mahtab HassanHere? Well, it takes a long time. It tries all possible combinations and when hash = targethash then I found password. People cant find out the parttern tho if you have changed the stuff i see it doesn't matter untill the system is secure and i thought i have already mentioned in document to change the value of salt to make system more secure. Quote Link to comment Share on other sites More sharing options...
hello Posted November 27, 2022 Author Share Posted November 27, 2022 7 hours ago, BastelPichi said: That brute forcing, and if you have a decent long password, this is not an issue. Here you can check how long ti would take to crack: https://www.security.org/how-secure-is-my-password/ @BastelPichiwow somehow I managed to make a brute force code by myself. I didnt know brute force was a thing. Quote Link to comment Share on other sites More sharing options...
hello Posted November 27, 2022 Author Share Posted November 27, 2022 1 hour ago, Chronos said: 8 hundred quattuordecillion years... I am in very serious danger. I never said its bad, Im just saying its possible. Quote Link to comment Share on other sites More sharing options...
TinkerMan Posted November 28, 2022 Share Posted November 28, 2022 26 minutes ago, Chronos said: Best of luck my friend Are you challenging us? And @Mahtab Hassan, if you can make the password storage even more secure, like using PHPs password_hash(), that would be better. Quote Link to comment Share on other sites More sharing options...
Mahtab Hassan Posted November 28, 2022 Share Posted November 28, 2022 2 hours ago, TinkerMan said: Are you challenging us? And @Mahtab Hassan, if you can make the password storage even more secure, like using PHPs password_hash(), that would be better. do not worry bro i can make that but currently i don't think there is any need to change the password encryption/hashing method because MOFH-R is not made to be used in a very large community. by the way I'm learning Laravel and will soon implement something new and a way secure then old clientareas Quote Link to comment Share on other sites More sharing options...
hello Posted November 28, 2022 Author Share Posted November 28, 2022 (edited) @Mahtab HassanHi, the smtp test for MOFH-R is working but the email templates aren't sending like when a user makes an account. Edited November 28, 2022 by hello Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.