I have a collection of accounts with passwords encrypted with bCrypt in my Fauna database. How do I find the correct account when given the password in plain text?
When I was not encrypting the password, this is the query I was using:
const password = 'abc123'
faunaClient.query(
q.Count(
q.Match(q.Index('getAccountByPassword'), password))
)
But this obviously isn't going to work anymore.
So what I need to do is getting all the hashed passwords in my database and then compare them to my plain text password. I don't have a name, email or something similar, to initially identify the account and then compare the passwords. I only have the password.
Create an index that specifies the field holding the hashes as a term, then you can search for the hash. You'll need to bCrypt any provided password first.
Alternately, you could use Fauna's built-in authentication. When you create a document representing an identity (e.g. a user), you can set a credentials field:
Create(
Collection("users"),
{
data: {
username: "alice",
...
},
credentials: { password: "abc123" },
}
)
The credentials field is never stored: it is used to create a Credentials document. Then, you can use Login(<reference to identity document>, <password>) to acquire a token. The token's secret can then be used as a password-equivalent when executing Fauna queries, and ABAC roles can specify what privileges that the token's identity can perform.
For more details, see:
Login function
Logout function
User Authentication tutorial
Related
I am trying to retrieve data in my MongoDB database. If I have the following below in my mongoDB database, I want to select the Password given the Username. So in this case, I will be looking through the database for a Username that is 'e' and retrieving the password associated with that specific Username. I've tried looking everywhere but I can't seem to find a solution on how to do it. I am using express, node, and mongoDB for this personal project. What I have so far is just looking up with database with .find({ Username: Username} and it outputs the entire JSON object.
To clarify, I will be sending a request with a Username of value 'e' and looking it up the database trying to retrieve the value of Password.
{
_id: 62d7712e6d6732706b46094e,
Username: 'e',
Password: 'hi',
__v: 0
}
find takes multiple inputs you can give the select statements also in find itself
so the query will be like
db.collectionName.find({username:'e'},{_id:0,password:1})
mongo by default fetch _id all the time by default so you need to specifically mention to not fetch _id thus _id :0
for such scenarios, there are 2 options if username is unique i would suggest to go with findOne rather then find
db.collectionName.findOne({username:'e'}).password
the same will work if you have multiple records with same username but you want only the first record
but if you want data of all the records as array
db.collectionName.find({username:'e'},{_id:0,password:1})..map( function(u) { return u.password; } )
I've protected delete queries on my forms with a password (did it with some VBA) and I let the user change the password so I can't just compare it to a text when I ask the user to enter the password, is there any way I could save the password variable on access storage without a table?
currently, I'm saving the password on a table with one field and doing the comparisons at the background...
It's a school project.
I would suggest hashing the password and storing the hash in your table; then, when the user enters a password, hash the entered password and compare the result with the stored hash.
This approach has the benefit that no passwords are stored in human readable format, and the hashing process cannot be reversed to yield the plain text password from the stored hash (one could only brute-force guess the password and compare the resulting hash).
You can save the password, but better password hash as advised #Lee Mac in the database properties. Property can be changed at any time by code. Change remains in the database file after database closing.
Create property:
Function CreatePropery()
Dim DB As Database
Dim P As Property
Set DB = CurrentDb
Set P = DB.CreateProperty("MyPassword", DB_TEXT, "MyInitialPassword")
DB.Properties.Append P
End Function
Get current password:
Function GetPasswod()
GetPasswod = CurrentDb.Properties![MyPassword]
End Function
Set new password:
Function SetPassword(strNewPassword As String)
CurrentDb.Properties![MyPassword] = strNewPassword
End Function
If I have a user in Aure AD B2C that was created based on an Azure AD (enterprise) identity (as described here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom), is there an attribute stored in AADB2C that will allow me to look up (using Graph API or similar) the user object in AAD? I see that among the AADB2C attributes there is userPrincipalName and issuerUserId but it's not obvious to me if either of these match any value stored in AAD.
thanks!
Martin
For an external account, the external issuer (i.e., Azure AD) and the external user identifier (i.e., the object identifier of the Azure AD user) are written to the "userIdentities" property of the user object in the Azure AD B2C directory, where the "issuerUserId" property contains the Base64-encoding of the external user identifier:
{
"userIdentities": [
{
"issuer": "contoso.com",
"issuerUserId": "Mjk2NzdlNTAtY2MwZS00MmU5LWJhNWMtZjFmMDdkZTUwMDhm"
}
]
}
To find the user object by the external account, you can invoke the following Graph API operation, where the "x/issuerUserId" value is set to the hexadecimal-encoding of the external user identifier:
GET https://graph.windows.net/myorganization/users?$filter=userIdentities/any(x:x/issuer eq 'contoso.com' and x/issuerUserId eq X'32393637376535302d636330652d343265392d626135632d663166303764653530303866')
Update:
The issuerUserId from the external identity provider should be treated as string and not decimal. In above example, when you base 64 decode "Mjk2NzdlNTAtY2MwZS00MmU5LWJhNWMtZjFmMDdkZTUwMDhm" - it returns a guid 29677e50-cc0e-42e9-ba5c-f1f07de5008f. In case of facebook, the issuerUserId will be a number, but still should be treated as string.
Next step will be to use string to hexadecimal converter and then use that value in the query.
I'm writing a program and before it loads I want the user to enter the correct password without storing the password anywhere in my code. I've implemented MD5 hashes before but from what I've read they're outdated and can be broken. There are a few sites out there that attempt to reverse engineer and MD5 hash. What's the strongest encryption I can use to keep prying eyes out of my program (e.g., The NSA)?
"Encryption" is not the right thing to do for storing user passwords - as by design an encrypted password can be decrypted. As you said - hashing is the way to go.
MD5 is outdated, and I believe the current recommendation is sha1.
Note that there are ways to reverse any hashing algorithm to acceptable input. The commonly accepted standard to make this much more dificult is to add a unique "salt" to all passwords before putting them through the hashing function. A common mistake made when adding salts to passwords is to use the same salt value on every password in the database.
When salting passwords, use a unique value, for example the user ID, or the created date/time string for the user record. This will prevent attacks based on rainbow tables because there will be no existing ready to use rainbow table for your stored password hashes.
I personally like the approach of using the created date / time string of the user as it's a value that should never change and will be available and will likely be different for each user the the database.
Eexamples below assume you are familiar with PHP - however the concepts can be applied to any language.
Example:
Before saving a new user into the database:
$date = date('Y-m-d H:i:s');
// save this same value into the user record somewhere
$passwordHash = sha1($user['created_date'].$_POST['password']);
// and save the $passwordHash value into the password field for that user
To authenticate a login attempt, use something like the following:
function authenticateUserLogin($email, $password) {
$user = $db->fetchRow('SELECT * FROM users WHERE email=?', array($email));
if (!$user) return false;
$passwordHash = sha1($user['created_date'].$password);
return $user['password_hash'] !== $passwordHash;
}
To update an existing users password, use something like...
$passwordHash = sha1($user['date_created'].$newPassword);
$db->query('UPDATE users set password_hash=? WHERE id = ?', array($passwordHash, $user['id']));
Is it possible in CakePHP 1.3 to login a user by indicating the user's id in the users table?
Now, to do a "manual" login, I do this (which works):
$this->data['User']['username'] = username;
$this->data['User']['password'] = password;
$this->Auth->login($this->data);
I would like to be able to indicate the specific user, for example adding $this->data['User']['user_id'] before the login() function. (I've tried that but it doesn't work).
The reason I want to do this is because in the users table there are different users records of users who have the same username and password. It seems odd but in my case makes sense, since one same user may create several accounts for different reasons, and he may choose the same username/password.
Any ideas would be much appreciated!
EDIT:
I'm going to give a specific example of what I'm trying to do, maybe it helps to bring some ideas.
Say I have this 2 records in the users table (fields are user_id / username / password / account_id):
Record 1: 1 / johndoe / password1 / 10
Record 2: 2 / johndoe / password1 / 15
So this 2 records have same username and password, but different user_id and account_id. When the login is processed, I know what account_id the user has chosen. So I want to log in the corresponding user. So if the user chooses account 15, then logs is, I should be logging in the user with id 2.
However, the way cake's login works, it always retrieves the first record that matches username / password. In this example, cake would be logging in the user with id 1.
Is there any way I can do what I want?
Doesn't sound like a very good idea to me, but if you really want/must do it that way, then have a look at AuthComponent::userScope. You can use it to define additional conditions for authentication lookups, for example:
$this->Auth->userScope = array('User.account_id' => 15);
That way authentication would only be successful when username and password match and the users account_id is 15, ie the resulting query would look something like this
User.username = 'abc' AND User.password = 'xyz' AND User.account_id = 15