Wednesday, 11 July 2018

Change/use different node version on Ubuntu

For Ubuntu NVM (Node Version Manager) works best. Therefore, I will recommend NVM instead of others e.g (n).

Installation and usage is very simple. I will extract the steps from the NVM github repository page.

Run following commands to install nvm:

curl -o- https://raw.githubusercontent.com/creationix/nvm/v0.33.11/install.sh | bash

Enable the nvm command by running:

source ~/.bashrc

To check proper installation run the following command

command -v nvm 

It should output nvm. If correct output is generated then we can install different versions of node using the command:

nvm install v8.11.0

OR

nvm install v8.10.0

Now when a different node version is installed it can be used by using the command:

nvm use 8.10.0

Tuesday, 10 July 2018

Securely Hash Passwords with PHP

PHP 5.5+ now comes baked with a password_hash function to generate secure, one-way hashes along with a password_verify function to match a hash with the given password—If you’re a PHP developer, you should always be securely storing user passwords, no excuses.
Developers have a huge responsibility when handling and storing user-sensitive information, such as a password. We should take extra precaution and the necessary steps to make sure the user’s data is safe and secure*.
*Please keep in mind the following implementation is only part of the problem since it handles the data once the web server receives it; however, it does not address the other issue of securely sending the sensitive data over-the-air from the browser to the server, which is why a valid SSL certificate is necessary.

Hashing passwords

To hash a password, take the password string and pass it into password_hash the function as a parameter along with the algorithm you want to use, then store the returned hash into the database.
password_hash( $password, $algorithm [, $options ] )
  • $password string.
  • $algorithm integer. Supports constants PASSWORD_BCRYPT or PASSWORD_DEFAULT.
  • $options array.
password_hash also randomly generates a salt every time a hash is generated and is a part of the returned hash, so there’s no need to store salts in a separate column.
$algorithm 
PASSWORD_BCRYPT uses the CRYPT_BLOWFISH algorithm and will return a 60 character string.
PASSWORD_DEFAULT uses the bcrypt algorithm. PHP documentation recommends that you set the column size to 255 in the event the algorithm changes over time.
$options 
password_hash supports the following options:
  • salt - You can manually pass in your own salt, although password_hash randomly generates a salt for each password.
  • cost - The algorithmic cost to be used. Default value is 10.
<?php
  $options = array(
    'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM),
    'cost' => 12,
  );
  $password_hash = password_hash($password_string, PASSWORD_BCRYPT, $options);
?>
Here’s a dirty, incomplete example that shows implementation of password_hash:
<?php
  $password_string = mysqli_real_escape_string($_POST["password"]);
  // The value of $password_hash
  // should similar to the following:
  // $2y$10$aHhnT035EnQGbWAd8PfEROs7PJTHmr6rmzE2SvCQWOygSpGwX2rtW
  $password_hash = password_hash($password_string, PASSWORD_BCRYPT);

  $mysql_query = "INSERT INTO Users (email, password_hash)
                  VALUES ($email_address, $password_hash)";
  mysqli_query($mysql_connection, $mysql_query);
?>

Verifying passwords

When checking passwords, you can use the handy-dandy password_verify function, which checks a password string against a password hash, then returns a boolean.
password_verify( $password, $hash )
  • $password string.
  • $hash string.
<?php
  $password_string = "abc123";
  $password_hash = "$2y$10$aHhnT035EnQGbWAd8PfEROs7PJTHmr6rmzE2SvCQWOygSpGwX2rtW";

  if (password_verify($password_string, $password_hash)) {
    // Correct password
  } else {
    // Incorrect password
  }
?>

PHP 5.3.7+

There’s a very useful library that allows the password_* functions to be used on servers running PHP 5.3.7+: https://github.com/ircmaxell/password_compat
If you’re running an even older version of PHP, it’s time to upgrade—older versions of PHP contains a security issue with BCRYPT (More information).

Password hashing functions

You can get a more thorough, in-depth explanation about the password hashing functions right from PHP’s documentation: http://us2.php.net/manual/en/ref.password.php. There are 2 additional functions that I didn’t cover, password_get_info and password_needs_rehash, that you may find userful.
For me, it always helps to know or better understand what’s going on in the background of these functions.

password_verify() returns false for correct password

Hey guys, I've just recently learned about the new hashing functions of PHP5.5+, but unfortunately I'm getting mixed results after I deciding to try them out myself.
Here is the code, nothing else is on the page:
<?php
$password = "Hello";
$hash = password_hash($password, PASSWORD_DEFAULT);

echo $hash;
?>
Whenever I echo this value, and copy it from the page to the function:
<?php 

var_dump(password_verify("Hello", "Hash I copied from rendered page));

?>
It returns bool(false).
On the other hand, if I do:
<?php

$password = "Hello";
$hash = password_hash($password, PASSWORD_DEFAULT);
echo $hash;

var_dump(password_verify("Hello", $hash));

?>
It returns true.
Is there some sort of formatting or security measure being applied to the echoed $hash?? I've tried google to no success.
Using password_get_info() on the copied $hash I get the following:
array(3) { ["algo"]=> int(0) ["algoName"]=> string(7) "unknown" ["options"]=> array(0) { } }
Something is clearly being lost here.
Thank you for your time guys.