Decryption Help

[smallc28]

Hello PHP freak members I learn how to ecrypt my password using the blow fish method but I'm having trouble decypting the password. Is there anyone that can over see the problem that I'm having? 

 

Sample ecrypted password > $2y$09$Q5klufp7bj6iuBA3dHpz5.fLN1sLzeGKE7nuXKunLMKKvE.rZtSTW

Original password > 1234 

 

<?php 

error_reporting(E_ALL & ~E_NOTICE);

session_start();

if(isset ($_SESSION['id'])){

header('location: profile.php');

} else {

if($_POST['submit']){

include "connect_prompt/connect_query.php";

 $email = mysqli_real_escape_string($db_conx,$_POST['email']); 

 $password_one =  $_POST['password_one']; 



///////////////// Blow Fish ///////////////////////////////////



 function cryptPass($input, $rounds = 9){

$salt = "";

$saltChars = array_merge(range('A','Z'),range('a','z'),range(0,9));

for($i = 0; $i < 22; $i++){

$salt .= $saltChars[array_rand($saltChars)];

}

return crypt($input, sprintf('$2y$%02d$', $rounds) . $salt);

}

$password_one = $_POST['password_one'];

$password = $_POST['password'];

$hashedPass = cryptPass($password);



if(crypt($password_one, $hashedPass) == $hashedPass){





///////////////// Blow Fish ///////////////////////////////////



$sql = "SELECT id, email, password FROM customer WHERE email='$email' AND password='$password_one' LIMIT 1";

$query = mysqli_query ($db_conx, $sql);

if($query){

$row = mysqli_fetch_row($query);

$userID = $row[0];

$db_email = $row[1];

$db_password = $row[2];

}

if($email == $db_email && $password_one == $db_password){

$_SESSION['email'] = $email;

$_SESSION['id'] = $userID;

header("location: profile.php"); 

} else {

echo "Sorry, Username or Password was incorrect";

}

}

  }

}

?>





<form 

action="login.php" method="POST">

    <input type="email" name="email" id="email" placeholder="  your@email.com" />

    <br/><br/>

    <input type="password" name="password_one" id="password_one" placeholder="  ********" />

    <br/><br/>

    <input type="submit" name="submit" value="SIGN IN" />

</form>

Edited August 2, 2016 by Zane

[Jacques1]

Your terminology is way off. crypt() hashes a password, it has nothing to do with “encryption”. A hash cannot be “decrypted”. And the algorithm you're using is bcrypt, not “Blowfish”.

 

So when you're asking us to “decrypt the password”, this makes absolutely no sense. Besides that, the crypt() code you've appearently copied and pasted from the Internet is insecure and garbage.

 

I suggest you simply throw away the script and start over, this time with the proper password hash API. You should also learn how to use mysqli correctly, particularly how to use prepared statements.

Edited August 2, 2016 by Jacques1

[Jacques1]

<?php


const PASSWORD_MIN_LENGTH = 8;

const PASSWORD_MAX_LENGTH = 56;                     // bcrypt is limited to 56 bytes of input

const PASSWORD_HASH_ALGORITHM = PASSWORD_BCRYPT;

const PASSWORD_HASH_COST = 10;                      // the cost factor which determines the hash strength; should be as high as possible




/* test: create a new password hash */


$password = 'g3xoc2YJ';


if (strlen($password) < PASSWORD_MIN_LENGTH)

{

    die('Password too short, length must be at least '.PASSWORD_MIN_LENGTH);

}


if (strlen($password) > PASSWORD_MAX_LENGTH)

{

    die('Password too long, length can be at most '.PASSWORD_MAX_LENGTH);

}


$passwordHash = password_hash($password, PASSWORD_HASH_ALGORITHM, ['cost' => PASSWORD_HASH_COST]);


echo 'Password hash: '.$passwordHash.'<br>';




/* test: verify password */


if (password_verify($password, $passwordHash))

{

    echo 'The password matches the hash.<br>';

}

else

{

    echo 'The password does not match the hash.<br>';

}

[smallc28]

Where can I learn more about this I'm good at programming things but not so great at security. This is just practice for me that's why it lack security but Thanks 

Edited August 4, 2016 by smallc28

[Jacques1]

The PHP manual is usually a good start, because it has plenty of examples and will warn you when a function is not recommended. There's also the online security book by Padraic Brady, but it only covers some topics (not password hashing) and isn't really meant for beginners.

 

What's important to understand about modern password hash algorithms is that you cannot do a simple string comparison like you would with, say, MD5. The hashes are parameterized with a cost factor and a random “salt”, so to verify a password, you have to load the existing hash into the application, hash the password with the same parameters and then compare the hashes. If you use the above mentioned password hash API, the last two steps are automatically done by the password_verify() function:

// create and execute prepared statement to get the user data
$userStmt = $databaseConnection->prepare('
    SELECT
        id,
        password
    FROM
        customer
    WHERE
        email = :email
');
$userStmt->execute(['email' => $_POST['email']]);
$user = $userStmt->fetch();

if ($user)
{
    if (password_verify($_POST['password'], $user['password']))
    {
        // Everything OK
    }
    else
    {
        // Wrong password
    }
}
else
{
    // Wrong username
}

(The above code uses PDO rather than mysqli; with mysqli, it will be a more complex)