Using PasswordEncoder i have encoded password as following:
String encryptedPass = passwordEncode.encode(password,salt);
I want to decrypt it.
Because, i want user password in string format for give him login to paypal account.
How do I do that (if at all possible)?
Related
I am facing issue while creating/updating password in grails 3.x.x Application. Whenever i try to enter any special case lets say "#" it encodes only this special character in password field.
Password value is coming from request body.
Example:
Real password : abc#555
Auto Encoded password : abc%40555
Grails by default uses a plugin that uses bcrypt algorithm to hash passwords for security.There are some configurable password hashing attributes. You can customize the password plugin with the grails.plugin.springsecurity.password.algorithm attribute.
I used grails acl security. I wanted to change or edit password of a user after logging as an admin. But when i go to the edit mode, then the password field is showing the encrypted text that was saved before as encrypted string in user table. Is there any way to decrypt the string fetched from database and show in original string form in the password field?
I did not get any straight solution to do this in grails acl.
Any help would be appreciated.
There aren't very good reasons to display the cleartext password. As the user or an admin, if you want to change the password then you do it like any other property. Display the old value (either as * characters since it's a password or possibly the hashed value if you are an admin) and then you can enter a new password. This will get hashed and stored when you update.
As long as the cleartext password satisfies the validation requirements (minimum length, special chars, etc.) then the update should work fine.
Note that passwords are generally not encrypted (which implies that they can be decrypted) but hashed. Hash algorithms are lossy - given any input the hash is typically a fixed length output, so it cannot contain all of the original data and can't be used to retrieve the original value. For passwords this is fine. To authenticate, you don't de-hash the stored value and compare to the cleartext value from the login page - you hash the login page value and compare to the stored hash. With some algorithms they'll be the same, and others (e.g. bcrypt) they'll be different but equivalent, and the algorithm will have a way to check that they're equivalent.
No it is impossible to decrypt the password . It is bad idea to show password to user in edit mode. Its violet the security law. You can change a user's password but can not see it.
I haven't decrypted or d-hashed the password but added a new page to change password for a user. in workflow i did as follows:
1. while creating a user, new hashed password is created
2. while edit, all other desired information are allowed to edit except password (but password is showing in hashed dotted mode for security).
3. added a new link named 'change password' in the user list beside each user
4. finally in the newly created 'changePassword' page, i have assigned another new password with hash operation for the particular user
I am wanting to validate a password in my own controller.
Is there any way I can sent the password to spring security UI and get a return if the password validates?
You are looking for:
springSecurityService.encodePassword
If you have configured your system with salt you will need that as well. Just encode the String, and read the encoded String from your user object, and compare the two
Docs:
http://grails-plugins.github.com/grails-spring-security-core/docs/manual/guide/single.html#6.2%20SpringSecurityService
I'm trying to write a simple ASP.Net app that allows the users to log in with their username and password. I'm using an EF database in the .NET Framework 4, coding in C#. My problem is, when the user registers their details on the registration page, their password value does not save. That textfield is a password field.
How can I save the passwords actual value in the database, but keep the textfield as password? Would I need to encrypt it? I've never done encryption, so any help would be appreciated. Thanks
You should use some cryptographic algorithm to compute the hash for password string (see Hash string in c#). Then store it as byte array or encoded string (like hex or base64) in db.
I used crypto:sha/1 to hash passwords in my erlang application.
Should I store the binary obtained directly in mnesia or should i convert them to hex string before?
Using crypto:sha/1 for hashing passwords is dangerous. At least have a salt, but preferably, use say scrypt, bcrypt or pbkdf2 for storing passwords like this. They are resilient to a number of attacks. Unfortunately, I know of no Erlang-support for those :/
Use https://github.com/smarkets/erlang-bcrypt to do the hashing rather than SHA1 or MD5.
One could get an Hmac SHA256 hex Digest or MD5 Digest of a password from a front-end application, create a hash using the erlang method and then store this hash. For example, if i had a web application, i ask for password from users, right at account creation or at login, i use javaScript to create an MD5 Digest of this password and send that along the wire (HTTPS) instead of the actual password. On reaching Erlang, i create a hash of this MD5 Digest from JavaScript and store that as the users password. So each time the user attempts to login on my page, i would do the similar process and then compare the hash output of his entry with the one that was stored. Read more on SHA256 HMac Digest by looking at the solutions to this question: HMAC SHA256 hex digest of a string in Erlang, how? and this one: Erlang and JavaScript MD5 Digest match
Actually you store tuples (or records, which is the same) in mnesia, but in the fields of that records you can store any term (including binaries). It's not neccessary to convert them to strings.