CodeIgniter Forums
Trying to use sha1 and encyption key together on post - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forum-20.html)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forum-23.html)
+--- Thread: Trying to use sha1 and encyption key together on post (/thread-60847.html)



Trying to use sha1 and encyption key together on post - El Forum - 07-11-2014

[eluser]Unknown[/eluser]
Hi guys, I hope you can help me,

I am in the process of changing our membership structure over but the original code has the members passwords encrypted using the following.

function prep_password($password)
{
return sha1($password . $this->config->item('encryption_key'));
}

I would like to using the following, input boxes for members to update their password, and just struggling to get the encyption to match withy existing password,

public function add_user()
{
$data=array(
'username'=>$this->input->post('user_name'),
'email'=>$this->input->post('email_address'),
'password'=>sha1($this->input->post('password', TRUE))

//$password => $this->input->post('password '),
);
$this->db->insert('userTest',$data);

Any help would be much appreciated.

Cheers


Trying to use sha1 and encyption key together on post - El Forum - 07-11-2014

[eluser]joergy[/eluser]
Didn't You forget Your "salt": $this->config->item(‘encryption_key’) ???


Trying to use sha1 and encyption key together on post - El Forum - 07-11-2014

[eluser]CroNiX[/eluser]
In addition to what joergy mentioned, I wouldn't use sha1 for hashing passwords. period.


Trying to use sha1 and encyption key together on post - El Forum - 07-11-2014

[eluser]Tim Brownlaw[/eluser]
Just as a suggestion...

With having existing Members registered with their passwords using Encryption Method A (EC-A) , and you want to switch them over to Encryption Method B (EC-B) you could look at doing this when they login... ie when they are providing their typed in ( non encrypted ) password...

1. Test the password using EC-A...
If that Passes... Take their Password they offered and encrypt and save it using EC-B
2. If it Fails the EC-A Test. perform the EC-B test ( they may have already changed their password ).
Else - "thanks for coming but I aint letting you in...."

And they'll change over silently behind the scenes as each member logs in...

For those that never login... well they aint using the system anyways...

It does depend on getting everyone to log in, without creating any potential mass hysteria regarding - "Hey your passwords aint that secure on our system, can you please log in to change them....... ".

Just something to help get the brain juices flowing on that part of it.

Cheers