Friday, April 20, 2012

How to generate the password in PHP as it did by Devise Gem in Ruby on Rails

I'm renewing a website from Ruby on Rails to PHP.
I need to generate the passwords which are generated by Devise Gem in Ruby on Rails.
I have to know what is the hashing method for password to create same method with PHP.
but it's not easy to find that codes inside the Ruby on Rails as a beginner.
If somebody know where should I check to find it, please help me.

These two are all what I found:

1) The configuration of encryptor is disabled in devise.rb like below:
# config.encryptor = :sha1
2) I read the comments very carefully then I found that they using sha512 and bcrypt as default encryptor.
# (default), :sha512 and :bcrypt. Devise also supports encryptors from others

I tried to make the same encrypted password in different ways with PHP:

1) sha1('--'.$password_salt.'--'.$encrypted_password);
2) sha1($password_salt.'-----'.$encrypted_password);
3) sha1('--'.$password_salt.'--'.$encrypted_password.'--');
4) sha1($password_salt.$encrypted_password);
5) sha1($encrypted_password.$password_salt);
6) substr(hash('sha512', $password_salt.$encrypted_password, false), 20);
7) substr(hash('sha512', $encrypted_password.$password_salt, false), 0, 40);
8) hash('sha512', $encrypted_password.$password_salt, false);
9) hash('sha512', $password_salt.$encrypted_password, false);
10) substr(hash('sha512', '--'.$password_salt.'--'.$encrypted_password.'--', false), 0, 40);

I couldn't get the same result from any of above.
Is there anybody whom could tell me the encryption method of Devise Gem??


ps. I'm not good at English. Even if my English is not correct, please don't be angry.

Dear W00d5t0ck,

Thank you for asking the test data.

Here is a test password.

password: shfogkwk1

password_salt: hnhbvKFgFVBQ4rLagcbb

encrypted_password: 30f5113d36ba649f1c89180495f01988bc78b529

I don't know which combination Devise Gem is using with password and password_salt.

Even I don't know whether Devise Gem is using salt or not.

Dear Jazz

I found config.pepper on /config/initializers/devise.rb.

# ==> Configuration for :authenticatable
# Invoke `rake secret` and use the printed value to setup a pepper to generate
# the encrypted password. By default no pepper is used.
# config.pepper = "rake secret output"

it's commented.

Thank you for the Answer, W00d5t0ck

I don't see any data field or configuration for "$pepper".

I found the information in devise.rb:

1)  # the encrypted password. By default no pepper is used.
# config.pepper = "rake secret output"

2) # Configure how many times you want the password is reencrypted. Default is 10.
# config.stretches = 10

so I called like this

sha512_digest('shfogkwk1', 10, 'hnhbvKFgFVBQ4rLagcbb', '')

then it returns 39dad169b4b2ac72471fad6c20cc1d5289fce0d0.......

it's not same as it was (30f5113d36ba649f1c89180495f01988bc78b529)

How do you use bcrypt for hashing passwords in PHP?

I tried bcrypt with advice from above.

the result is $1$eT0.Pf5.$i6ML4YMP59CNOil49xTcR0.

it's not even close as sha512.

what should I do?

No comments:

Post a Comment