CODEWITHSUNDEEP
phpmysql
mvasco
mvasco

Reputation: 5101

Getting password hash from MySQL

I am generating a password in PHP as follows:

$options = [
    'cost' => 11,
];
// Get the password from post
$passwordFromPost = $_POST['password'];

$hash = password_hash($passwordFromPost, PASSWORD_BCRYPT, $options);

and I insert it in a MySQL table.

Now, I would like to retrieve it. I was using a hash+salt password, but I would like to remove the salt option. How could I retrieve the created password in PHP?

Upvotes: 0

Views: 2394

Answers (2)

Mohamed Hesham
Mohamed Hesham

Reputation: 157

You can't retrieve the plaintext password.

But If in your case the web site is up and people are using it, you can add a function after password verify to update user's password in the database using your new hash. You might be able to know which passords are updated by simply adding a field in your database to tell you.

Upvotes: 0

avisheks
avisheks

Reputation: 1180

Ok, here it goes. You cannot retrieve the raw passwords again as hash(hash+salt) being the one way encryption technique(and that makes sense one should not be able to read anybody's raw password and misuse). The way it work is, when user type in their passphrase to login, the same encryption algorithm(that's been followed while storing) being followed to create the hash out of it. The comparison now happens between hash to hash to get a valid session token.

Now, coming to the question if you want to change the encryption algorithm or the salt, you need to allow user to login with the old encryption algo. What you should be doing is to gradual migration of old user's password hash to new password hash. And the only option you get the raw pass is when user type them in. You need to identify if they are the old users, if they are allow them log-in with backward compatible algorithm and silently update their password with encrypted with the new salt.

Upvotes: 2

Related Questions