Support the ongoing development of Laravel.io →
posted 10 years ago
Authentication
Last updated 2 years ago.
0

http://laravelsnippets.com/snippets/gradually-migrating-passwords-from-md5-to-laravels-hash

For security reasons, I'd migrate to hashes instead of just logging them in.

Last updated 2 years ago.
0

mack-hankins said:

http://laravelsnippets.com/snippets/gradually-migrating-passwords-from-md5-to-laravels-hash

For security reasons, I'd migrate to hashes instead of just logging them in.

thanks for your responding mack but I already I have database with an existing data (big amount of data) and the passwords are encrypted in md5, so I can't change the encryption to bcrypt because other desktop systems access the same data

Last updated 2 years ago.
0

You should really upgrade. You can even do it transparently and then when a low number of users are left, just force a switch via a reset password email to them.

MD5 is also hashing, not encrypting. Encryption means it can be decrypted back into plain-text, hashing is one-way. It is also really fast to attack, which leaves your database open for easy picking if (when) it gets lifted.

Last updated 2 years ago.
0

Switching hashing algorithms can be done transparently:

  1. When a user logs in (i.e. you have the plain text), create 2 hashes: one md5 hash and one sha1 (or whatever) hash.
  2. compare the hash in the database to BOTH of your generated hashes to see if login credentials is correct
  3. IF they are correct, not only log the user in, but upgrade their password field and set it to the new, better hash.

Users won't notice, and when they log in the next time they get the improved security automatically.

Last updated 2 years ago.
0

This is my solution, which don't need and plugin or extension.

http://stackoverflow.com/a/19398898/2272581

Last updated 2 years ago.
0

May I just add that both MD5 and SHA1 are not considered secure hashes against brute-force attacks in the modern era, especially if you are not salting passwords.

Also, whilst the scheme of switching passwords transparently is attractive (I've been forced to do it once myself, also to migrate from MD5), there is the hidden danger of timing attacks against a user. Basically, you can almost always tell which hash was used, just by the length of the string since they have fixed size outputs. If I provide a candidate password to the system whilst its in transition, unless you're extremely careful about how you're comparing the password, the time you take to compare them can be significantly different depending on whether its an MD5 password or not.

As @Langdi suggests, its better to create both hashes all the time whilst switching. I'd add that you should compare to both hashes, even if the first one matches and use a timing attack resistant hash comparison function like hash_compare().

Last updated 9 years ago.
0
/**
 * @param $credentials
 *
 * @return bool
 */
private function attempt($credentials)
{
    if ( ! isset( $credentials['password'] ) or ! isset( $credentials['email'] )) {
        return false;
    }

    $user = User::whereEmail($credentials['email'])
                ->wherePassword(md5($credentials['password']))
                ->first();

    if ($user) {
        Auth::login($user);
    }

    return $user;
}
Last updated 9 years ago.
0

Sign in to participate in this thread!

Eventy

Your banner here too?

iMezied imezied Joined 3 Feb 2014

Moderators

We'd like to thank these amazing companies for supporting us

Your logo here?

Laravel.io

The Laravel portal for problem solving, knowledge sharing and community building.

© 2024 Laravel.io - All rights reserved.