public function logIn($username, $password) { // rate-limit requests. $numFailedRequests = $this->dbConn->queryCount("SELECT COUNT(*) FROM `failed_logins` WHERE `ip` = " . $this->dbConn->quoteSmart($_SERVER['REMOTE_ADDR']) . " AND `date` > NOW() - INTERVAL 1 HOUR"); if ($numFailedRequests > 5) { return array("location" => "index.php", "status" => "You have had too many unsuccessful login attempts. Please wait awhile and try again.", 'class' => 'error'); } $bcrypt = new Bcrypt(); $findUsername = $this->dbConn->queryFirstRow("SELECT `id`, `name`, `facility_id`, `usermask`, `password_hash` FROM `users` WHERE `email` = " . $this->dbConn->quoteSmart($username) . " LIMIT 1"); if (!$findUsername) { $this->dbConn->log_failed_login($username, $password); return array("location" => "index.php", "status" => "Could not log in with the supplied credentials.", 'class' => 'error'); } if (!$bcrypt->verify($password, $findUsername['password_hash'])) { $this->dbConn->log_failed_login($username, $password); return array("location" => "index.php", "status" => "Could not log in with the supplied credentials.", 'class' => 'error'); } //update last IP address. $updateLastIP = $this->dbConn->stdQuery("UPDATE `users` SET `last_ip` = " . $this->dbConn->quoteSmart($_SERVER['REMOTE_ADDR']) . " WHERE `id` = " . intval($findUsername['id']) . " LIMIT 1"); $_SESSION['id'] = $findUsername['id']; $_SESSION['name'] = $findUsername['name']; $_SESSION['facility_id'] = $findUsername['facility_id']; $_SESSION['usermask'] = $findUsername['usermask']; $this->id = intval($findUsername['id']); $this->facility['id'] = intval($findUsername['facility_id']); $this->usermask = intval($findUsername['usermask']); return array("location" => "main.php", "status" => "Successfully logged in.", 'class' => 'success'); }
function testDontNeedRehash() { // create hash using default cost $password = new Bcrypt(); $hash = $password->hash('test'); $this->assertEquals(true, $password->verify('test', $hash)); $this->assertEquals(false, $password->needsRehash($hash, $password->getCost())); }
/** * Validate the user password * * @author Arvind Singh * @access public * * @param string $password * // Password string * * @param string $hash * // Hash string * * @return boolean */ public function verify($password, $hash) { if ($this->method == 'md5') { return $hash == md5($this->salt . $password); } elseif ($this->method == 'sha1') { return $hash == sha1($this->salt . $password); } elseif ($this->method == 'bcrypt') { $bcrypt = new Bcrypt(); $bcrypt->setCost(14); return $bcrypt->verify($password, $hash); } }
public function doPostAction() { $username = $_POST['username']; $bcrypt = new Bcrypt(15); if ($bcrypt->verify($_POST['password'], $this->User->getUserPassword($username))) { $_SESSION['username'] = $username; $this->sendMainPage(); } else { $this->setMessage('Data login Anda salah!'); $this->sendLoginPage(); } }
public function doPostAction() { $bcrypt = new Bcrypt(15); $this->setView('admin/change_password'); try { $username = $this->Setting->getSuperAdminUserName(); if ($bcrypt->verify($_POST['old_password'], $this->User->getUserPassword($username)) && $_POST['new_password'] === $_POST['new_password_verification']) { $superuser = array('username' => $username, 'password' => $bcrypt->hash($_POST['new_password'])); $this->User->updateRecord($superuser); $this->setMessage('Password berhasil diganti.'); } else { $this->setMessage('Password yang Anda masukkan tidak sama!'); } } catch (Exception $e) { $this->setMessage('Password gagal diganti: ' . $e->getMessage()); } }
<?php $bcrypt = new Bcrypt(15); $hash = $bcrypt->hash('password'); $isGood = $bcrypt->verify('password', $hash); class Bcrypt { private $_ci; public function __construct($_ci = 12) { if (CRYPT_BLOWFISH != 1) { throw new Exception("bcrypt not supported in this installation. See http://php.net/crypt"); } $this->_ci =& get_instance(); $this->rounds = $_ci; } public function hash($input) { $hash = crypt($input, $this->_ci->getSalt()); if (strlen($hash) > 13) { return $hash; } return false; } public function verify($input, $existingHash) { $hash = crypt($input, $existingHash); return $hash === $existingHash; } private function getSalt() {
public function hash_password($plaintextpwd) { $bcrypt = new Bcrypt(15); $hash = $bcrypt->hash($plaintextpwd); $isGood = $bcrypt->verify($plaintextpwd, $hash); if ($isGood) { return $hash; } else { return false; } }
/** * Given a cleartext password and a hash, determine if the * given password and hash match. * @param String cleartext password * @param String a previously-generated hash of that password * @return bool true if the password and the has are paired * @see ApplicationHelper::hashPassword */ public static function verifyPassword($cleartext, $storedHash) { $bcrypt = new Bcrypt(12); return $bcrypt->verify($cleartext . config('auth.salt'), $storedHash); }
if (!mysql_query($sql)) { echo json_encode(array('ok' => false, 'error' => mysql_error(), 'step' => '5.1')); exit; } } if ($key) { $saved_email = $email; $sql = sprintf('UPDATE ownership SET `key`="%s" WHERE `name`="%s"', mysql_real_escape_string($bcrypt->hash($key)), mysql_real_escape_string($name)); if (!mysql_query($sql)) { echo json_encode(array('ok' => false, 'error' => mysql_error(), 'step' => '5.2')); exit; } } // (2.2) check bcrypt passsowrd matches } else { if ($bcrypt->verify($key, $hashed)) { // otherwise username & password were okay, update their details (including email addy) $ok = true; $sql = sprintf('UPDATE ownership SET `last_login`=NOW() WHERE `name`="%s"', mysql_real_escape_string($name)); // (2.2.1) logged in, also update their email address if ($email && $home) { $sql = sprintf('UPDATE ownership SET `email`="%s", `last_login`=NOW() WHERE `name`="%s"', mysql_real_escape_string($email), mysql_real_escape_string($name)); $saved_email = $email; } if (!mysql_query($sql)) { echo json_encode(array('ok' => false, 'error' => mysql_error(), 'step' => '2.2.1')); exit; } } else { // (2.3) found username, but the password didn't match if ($email && !$home) {
function osc_verify_password($password, $hash) { if(version_compare(PHP_VERSION, '5.3.7')>=0) { return password_verify($password, $hash)?true:(sha1($password)==$hash); } require_once LIB_PATH . 'Bcrypt.php'; if(CRYPT_BLOWFISH==1) { $bcrypt = new Bcrypt(BCRYPT_COST); return $bcrypt->verify($password, $hash)?true:(sha1($password)==$hash); } return (sha1($password)==$hash); }
case "login": test_csrf(); $user = $_POST['user']; $pass = $_POST['pass']; $secret = $frase . $pass; $_SESSION['userronin'] = $user; $gen = new Bcrypt(12); $bcrypt_hash = $gen->hash($secret); $pdo2 = new crud(); $pdo2->conn(); $stmt = $pdo2->db->prepare("select * FROM userronin WHERE login = ? "); $stmt->bindValue(1, $user, PDO::PARAM_STR); $stmt->execute(); $res = $stmt->fetchAll(); $_SESSION['passronin'] = $bcrypt_hash; if ($gen->verify($bcrypt_hash, $res[0]['pass']) == "false") { print "<img src=\"../view/images/alerta.png\">\n <h1>ERROR at auth 05</h1> \n <meta HTTP-EQUIV='refresh' CONTENT='2; URL=../view/login.php'>"; exit; } $janela = ' <div class="portlet portlet-closable x4"> <div class="portlet-header"> <h4>Login manager</h4> </div> <!-- .portlet-header --> <div class="portlet-content"> '; $var = "<p><b>Login:</b>" . $r['login'] . " <br> <b>owner:</b>" . $r['owner']; $bemvindo = "Welcome to Ooze tool</p>"; $values = array('last_ip' => "???"); //fix it $crud->Update('userronin', $values, 'id', $r['id']); $page->conteudo = $janela . " <br>" . $bemvindo . "<meta HTTP-EQUIV='refresh' CONTENT='1; URL=auth.php?page=conta'></div></div>";
<?php if (ini_get('register_globals')) { exit("<center><h3>Error: Turn that damned register globals off!</h3></center>"); } if (!defined('CAN_INCLUDE')) { exit("<center><h3>Error: Direct access denied!</h3></center>"); } if (isset($_POST['password'])) { require ROOT . 'include/func_crypt_random.php'; require ROOT . 'include/class_bcrypt.php'; $bcrypt = new Bcrypt(12); require 'password.php'; if ($bcrypt->verify($_POST['password'], $hash)) { $_SESSION['auth'] = true; } else { echo '<span style="color: red">Entered password was wrong!</span><br><br>'; } } if (!isset($_SESSION['auth'])) { if (!file_exists('password.php')) { echo 'password.php not found<br>'; echo 'first <a href=gen_pass_hash.php>create a password</a>'; exit; } else { require 'password.php'; if ($hash === '') { return; } require ROOT . 'include/login_form.php'; exit;
public function actionPass() { $bcrypt = new Bcrypt(12); $passes = array('xaby', 'marina', 'arturo', 'dani', 'pedro', 'manu', 'rober', 'marcos', 'alex', 'samu'); $result = array(); foreach ($passes as $pass) { $hash = $bcrypt->hash($pass); $check = $bcrypt->verify($pass, $hash); echo '<pre>'; print_r(array('pass' => $pass, 'hash' => $hash, 'check' => $check)); echo '</pre>'; } }
$emailmatches = db_get("SELECT 1 FROM login_user WHERE upper(email) = upper('{$unvalue}')", 'column'); if (!empty($unmatches[1])) { $field = 'username'; } else { if (!empty($emailmatches[1])) { $field = 'email'; } else { $form->errors[] = "No user found with username or email <strong>" . $unvalue . "</strong>"; $form->valid = false; } } if (isset($field)) { $userrow = db_get("SELECT * FROM login_user WHERE upper({$field}) = upper('{$unvalue}')", 'row'); $passhashvalue = $userrow[0]['PASS']; $bcrypt = new Bcrypt(15); $isGood = $bcrypt->verify($_REQUEST['password'], $passhashvalue); if ($isGood) { $form->successMessage = "Successfully logged on! If you are not redirected, please <a href='welcome.php'>click here</a>"; $user = new LoginUser(); $user->setFromArray($userrow[0]); $user->sessionSet(); $redirect = "welcome.php"; if (isset($_SESSION["referring_page"]) && $_SESSION["referring_page"] != $_SERVER['REQUEST_URI']) { $redirect = $_SESSION["referring_page"]; } header("Location: {$redirect}"); } else { $form->errors[] = "Wrong password"; $form->valid = false; } }
/** * Validate a password for this account * @since Version 3.8.7 * @param string $password * @return boolean */ public function validatePassword($password = false, $username = false) { /** * Check for a valid password */ if (!$password || empty($password)) { throw new Exception("Cannot validate password - no password was provided"); } /** * Check for a supplied userame or if this object is populated */ if ((!$username || empty($username)) && (!filter_var($this->id, FILTER_VALIDATE_INT) || $this->id < 1)) { throw new Exception("Cannot validate password for user because we don't know which user this is"); } /** * Check if a supplied username matches the username in this populated object */ if ($username && !empty($username) && !empty($this->username) && $this->username != $username) { throw new Exception("The supplied username does not match the username given for this account. Something dodgy's going on..."); } /** * Create a temporary instance of the requested user for logging purposes */ $TmpUser = filter_var($this->id, FILTER_VALIDATE_INT) ? new User($this->id) : new User($username); /** * Get the stored password for this username */ if ($username && !empty($username) && empty($this->username)) { $query = "SELECT user_id, user_password, user_password_bcrypt FROM nuke_users WHERE username = ?"; $row = $this->db->fetchRow($query, $username); $stored_user_id = $row['user_id']; $stored_password = $row['user_password']; $stored_password_bcrypt = $row['user_password_bcrypt']; } elseif (!empty($this->password)) { $stored_user_id = $this->id; $stored_password = $this->password; $stored_password_bcrypt = $this->password_bcrypt; } /** * Check if the invalid auth timeout is in effect */ if (isset($TmpUser->meta['InvalidAuthTimeout'])) { if ($TmpUser->meta['InvalidAuthTimeout'] <= time()) { unset($TmpUser->meta['InvalidAuthTimeout']); unset($TmpUser->meta['InvalidAuthCounter']); $TmpUser->commit(); $this->refresh(); } else { $TmpUser->addNote("Login attempt while InvalidAuthTimeout is in effect"); throw new Exception("You've attempted to log in with the wrong password too many times. We've temporarily disabled your account to protect it against hackers. Please try again soon. <a href='/account/resetpassword'>Can't remember your password?</a>"); } } /** * Load the BCrypt class */ require_once "includes/bcrypt.class.php"; $BCrypt = new \Bcrypt(RP_BCRYPT_ROUNDS); /** * Strip excess whitespace from the password */ $password = trim($password); /** * Try to validate the password */ if (empty($stored_password_bcrypt) && ($stored_password = md5($password)) || $BCrypt->verify($password, $stored_password_bcrypt)) { /** * Password validated! If we haven't populated this user object, do it now */ if (!filter_var($this->id, FILTER_VALIDATE_INT)) { $this->load($stored_user_id); } /** * No bcrypt password - set it */ if (empty($stored_password_bcrypt)) { $this->setPassword($password); } /** * Reset the InvalidAuthCounter */ unset($this->meta['InvalidAuthCounter']); unset($this->meta['InvalidAuthTimeout']); $this->commit(); return true; } /** * Unsuccessful login attempt - bump up the invalid auth counter */ if (!isset($TmpUser->meta['InvalidAuthCounter'])) { $TmpUser->meta['InvalidAuthCounter'] = 0; } $TmpUser->meta['InvalidAuthCounter']++; $TmpUser->addNote(sprintf("Invalid login attempt %d", $TmpUser->meta['InvalidAuthCounter'])); $TmpUser->commit(); $this->refresh(); if ($TmpUser->meta['InvalidAuthCounter'] == 3) { $TmpUser->meta['InvalidAuthTimeout'] = strtotime("+10 minutes"); $TmpUser->addNote("Too many invalid login attempts - account disabled for ten minutes"); $TmpUser->commit(); $this->refresh(); throw new Exception("You've attempted to log in with the wrong password too many times. As a result, we're disabling this account for the next ten minutes. <a href='/account/resetpassword'>Can't remember your password?</a>"); } $this->reset(); return false; }
$bcrypt->hash($password); } function password_verify($password, $hash) { $bcrypt->verify($password, $hash); } if (isset($_GET['debug'])) { $debug = 1; $hash = $bcrypt->hash($_GET['debug']); } else { $debug = 0; } if ($debug) { echo "<fieldset><legend>Should return 1</legend>"; echo $hash . "<br>"; $isGood = $bcrypt->verify($_GET['debug'], $hash); echo "→ " . $isGood; echo "</fieldset>"; echo "<fieldset><legend>Should return 0</legend>"; echo $hash . "<br>"; $hash = "sdfsdf"; $isGood = $bcrypt->verify($_GET['debug'], $hash); echo "→ " . $isGood; echo "</fieldset>"; if (isset($_GET['compare'])) { $hash = $_POST['compare']; echo "<fieldset><legend>Manual comparison</legend>"; echo '<form action="" method="post">'; echo "<input type='text' name='compare' />"; echo "<input type='submit'/>"; echo '</form>';
/** * Comprueba que la clave pasada por parametro es valida con respecto a la clave de la base de datos * * @param string $clave clave a comprobar * @return string clave valida */ public function comprobarClave($clave) { $bcrypt = new Bcrypt(self::BCRYPT_ROUNDS); $valida = $bcrypt->verify($clave, $this->pass); return $valida; }
/** * Convience function for verifying a Bcrypt password against a plain-text * input. * * @see Bcrypt::verify() * * @param string $input The plain-text password to verify. * @param string $existingHash The stored hash. * @return bool True if the password matches; false otherwise. * */ function verify($plainText, $hashedPassword) { /* We don't need to explicilty provide prefix and round numbers. */ $bcrypt = new Bcrypt(); return $bcrypt->verify($plainText, $hashedPassword); }