Having problems with SHA1 storing and loading password

Th3CrazzyRabbit · 2020-04-18, 09:56 PM

Well to be honest its first time a costumer asked me for a SHa1 store and load from database as its not that safe anymore , myself i use bcrypt all the time.

However im trying to come together with this login / signup system and at signup everything works perfectly , sha1 encrypts it and stores it to the database

Now the issue its the loading from database , even tho i write the same password it still doesnt work

this is the code from loading the Sha1

PHP Code:
$hashpass = sha1($userpass);
                if (password_verify($hashpass, $row['password']))
               {
                   session_start();
                   $_SESSION['userid'] = $row['Master_ID'];
                   header("Location:../index.php?login:sucess");
               }
               else{
                   header("Location:../login.php?error:wrongpassword");
                   exit();
               } 

Storing

PHP Code:
$hashedpass = sha1($password);
                        mysqli_stmt_bind_param($stmt, "sss", $username, $email, $hashedpass);
                       mysqli_stmt_execute($stmt);
                       header("Location:../index.php?Signup:Sucessful"); 

Help me pelase , i really need this.

**BigETI** · (This post was last modified: 2020-04-19, 11:40 AM by BigETI.)

You have three options:
1. Tell your customer to migrate to a safer users system
2. Tell your customer to fuck off
3. (not recommended at all) Actually read the documentation of `password_verify` to find out that it can't be used in that context. Do a string comparison of the stored hash and hashed input. This method is very unsafe and you are literally playing with user passwords. THIS IS NOT RECOMMENDED AT ALL!

**Y_Less** · 2020-04-18, 11:10 PM

Presumably your client hired you as an expert. In which case, tell them the problems and use a good system.

Th3CrazzyRabbit · 2020-04-18, 11:20 PM

To be honest i have told him 3 times not only once but he wants to stick with sha1 and there's nothing i can do , if thats what he wants i have to do it

i told him that even if his database gets leaked , theres websites online that can reverse the hash code so no idea , just help me out if you can

**Y_Less** · (This post was last modified: 2020-04-19, 11:40 AM by Y_Less.)

I'm not going to help you do a potentially dangerous thing. The problem isn't your job, or your client's lack of understanding. The problem is their customers using that system with no idea of how unsafe it is. They are the people I'm concerned about.

Th3CrazzyRabbit · 2020-04-19, 12:19 PM

Its okay , i've already canceled the work with him unless he updates the system to bcrypt , thank you.