how encrypt string to password?

[langziyang]

in prestashop 1.7, how encrypt string to password?

i register on account,then i use 

$crypto = ServiceLocator::get('\\PrestaShop\\PrestaShop\\Core\\Crypto\\Hashing');
        echo '<pre>';
        echo $crypto->hash($password);

to show my password. the are not equal my account passwd.

 

someone can tell me how encrypt string to password?

[gonebdg - webindoshop.com]

Example

<?php
use PrestaShop\PrestaShop\Adapter\ServiceLocator;

class YourClassName extends Something
{
    public static function MyFunction($plaintextPassword)
    {    
        try {
            /** @var \PrestaShop\PrestaShop\Core\Crypto\Hashing $crypto */
            $crypto = ServiceLocator::get('\\PrestaShop\\PrestaShop\\Core\\Crypto\\Hashing');
        } catch (CoreException $e) {
            dump($e); // if error dump feel free to modify as you need
        }

        $hash_password = $crypto->hash($plaintextPassword);
        return $hash_password;
    }
}

Next you can use the method to generate hash password

<?php
// ... your php content

// for example we will hass password 12345678
// this will generate somthing like $2y$10$dcPc7q9YJdPRQnBT1gyC2e.wHSRSppwsHe4tDvSqkjOw4aYZLUq9
$hass_password = YourClassName::MyFunction(12345678);

// it will return different hash password each time you use it
// but the first 7 characters within the generated hash password will remain the same, e.g : $2y$10$
// it will return true if you use $crypto->checkHash(12345678, HASH_PASSWORD); to Check the password

[mrlinux]

Friends, that works, when you need generate a new password.

But, what if i need that show me exactly the password saved on the database?

Edited August 4, 2017 by mrlinux (see edit history)

[gonebdg - webindoshop.com]

Friends, that works, when you need generate a new password.

But, what if i need that show me exactly the password saved on the database?

Why you want to be able to see the password in plain text ?

 

A password should be a secret/confidential, that's why need to be hashed before stored in the database.

So ... no one will be able to guess/know/see the password (in plain text)

 

If you or your customers forget the password (in plain text), use "Forget password" function

[BeComWeb]

A password should be a secret/confidential, that's why need to be hashed before stored in the database.

So ... no one will be able to guess/know/see the password (in plain text)

 

For sure, but i have a module i'm currently adapting for PS 1.7.

 

This module must be able to connect to an external database/service.

So i have to store that password in PS database (the module has its own table).

For security reason i want to hash and unhash it.

So far (i.e for PS 1.6), i used the Blowfish class and its encrypt/decrypt methods (which mixed the password as plain text and the PS cookie data).

 

Now that Blowfish is gone i'm searching a new solution.

I started digging into PhpEncryption and Crypto new classes but i haven't found how to use one of them as before so far.

[gonebdg - webindoshop.com]

...

 

For security reason i want to hash and unhash it.

...

 

Since when a password hashed "can be" unhashed ?

(actually it can due to rapid development of technology ... and that's why we should not use md5 hash algorithm anymore)

 

I guess you misunderstand the principal of Hash Vs Crypt

 

Hashing is a one way function, It's irreversible, you apply the secure hash algorithm and you cannot get the original string back.

 

Encrypting is a proper two way function. It's reversible, you can decrypt the mangled string to get original string if you have the KEY.

 

To solve your problem about module user pasword from PS 1.6

Actually I'm not sure what is the problem ...

If you have a module and the user should provide a password on the module configuration where the password will be stored on the database, then no problem at all because user will write the password string not the hashed string.

 

If your module require user to provide a Key (an API key maybe) which previously it was created with the custom encryption algorithm, then you should be able to decrypting it because you are the author/creator of the encryption algorithm and you know and have the KEY for encrypt/decrypt.

 

But if you have another problem, then I believe you can always do something like this :

public function oldKeyAuth($old_key_crypt)
{
    // your AUTH code for the old crypt algorithm here ...
}

public function oldPassAuth($old_pass)
{
    // your AUTH code for the old pass ...
}

mean you just have to add a new method in your module class to handle the authentication with the old encrypt/decrypt algorithm that you had created.

[BeComWeb]

Indeed we misunderstood 

 

First of all you are right, i was talking about encryption and not hashing. My bad.

 

The situation is :

1. i have created a module for PS 1.6

2. i need to adapt it for PS 1.7

 

As Blowfish stuff is not part of the CMS anymore, i had to find a new "integrated" method to replace the old encrypt/decrypt process.

 

I said "i had" because i finally found the solution yesterday night.

 

Here is a before/after brief overview, i think it will talk by itself

 

Before :

    private function encryptPassword($password)
    {
        $Blowfish = new Blowfish(_COOKIE_KEY_, _COOKIE_IV_);
        return $Blowfish->encrypt($password);
    }
    
    private function decryptPassword($password)
    {
        $Blowfish = new Blowfish(_COOKIE_KEY_, _COOKIE_IV_);
        return $Blowfish->decrypt($password);
    }

After :

    private function encryptPassword($password)
    {
        return Crypto::encryptWithPassword($password, _COOKIE_KEY_);
    }
    
    private function decryptPassword($password)
    {
	if(Tools::isEmpty($password)){
	    return $password;
	}
	else{
            return Crypto::decryptWithPassword($password, _COOKIE_KEY_);
	}
    }

I have to perform a few more tests (especially on the "empty password" case) but it seems to work fine.

 

In both cases, the point here it is that if the PS database is hacked, the bad guy won't be able to access the "external" database/service unless he gets the PS cookie key as well.

[Takis Kamp]

On 8/25/2017 at 5:24 PM, BeComWeb said:

Indeed we misunderstood 

 

First of all you are right, i was talking about encryption and not hashing. My bad.

 

The situation is :

1. i have created a module for PS 1.6

2. i need to adapt it for PS 1.7

 

As Blowfish stuff is not part of the CMS anymore, i had to find a new "integrated" method to replace the old encrypt/decrypt process.

 

I said "i had" because i finally found the solution yesterday night.

 

Here is a before/after brief overview, i think it will talk by itself

 

Before :

    private function encryptPassword($password)
    {
        $Blowfish = new Blowfish(_COOKIE_KEY_, _COOKIE_IV_);
        return $Blowfish->encrypt($password);
    }
    
    private function decryptPassword($password)
    {
        $Blowfish = new Blowfish(_COOKIE_KEY_, _COOKIE_IV_);
        return $Blowfish->decrypt($password);
    }

After :

    private function encryptPassword($password)
    {
        return Crypto::encryptWithPassword($password, _COOKIE_KEY_);
    }
    
    private function decryptPassword($password)
    {
	if(Tools::isEmpty($password)){
	    return $password;
	}
	else{
            return Crypto::decryptWithPassword($password, _COOKIE_KEY_);
	}
    }

I have to perform a few more tests (especially on the "empty password" case) but it seems to work fine.

 

In both cases, the point here it is that if the PS database is hacked, the bad guy won't be able to access the "external" database/service unless he gets the PS cookie key as well.

Hi

I have  prestashop 1.6  new 1.7  i have change the COOKIE_KEY_  but now this is not the problem.

in version 1.7 is much more complicated. In this case it is required to change the way of how correctness of password is checked in prestashop 1.7. This requires core code changes.  

Please do you now this code?