How to decrypt password to real password to be shown in update form Yii2 (Advanced Template)?
Solution 1
As already mentioned by @TomCarrick, hashing passwords is a one way algorithm and never meant to be reversed. The process of verifying the validity of a proposed password is by hashing it using the same algorithm then checking if the resulting hash is same as the one you already have. This strategy is handled in Yii within the User class, the one extending the IdentityInterface and defined in your config file. And this is done within those 2 methods :
class User extends ActiveRecord implements IdentityInterface
{
...
public function validatePassword($password)
{
return Yii::$app->security->validatePassword($password, $this->password_hash);
}
public function setPassword($password)
{
$this->password_hash = Yii::$app->security->generatePasswordHash($password);
}
NOTE: The following is not recommended. If it is for update form like user changing his password as I understood from your question then I would recommend using two inputs:
old_password
andnew_password
as used in most websites. Then the same way as implemented in the User class, you may check the intered password validity by comparing hashes and if it is valid then you just hash thenew_password
and save it to database by overriding the old one.
If for whatever reasons you have, you need to know user's passwords then you will need to manually change the way how Yii is setting and validating those passwords by implementing a LESS SECURE strategy and this can be achieved by replacing that one way algorithm by a different one like using encryptByPassword() and decryptByPassword() helper methods which will allow you to encrypt any string using a $secretKey
that you will use later to decrypt it back. So you will need to override the previously mentioned 2 methods by this :
public $secretKey = 'WHATEVER_SECRET_YOU_CHOOSE';
public function validatePassword($password)
{
$decryptedPassword = Yii::$app->getSecurity()->decryptByPassword($this->password_hash, $this->secretKey);
return $decryptedPassword === $password;
}
public function setPassword($password)
{
$this->password_hash = Yii::$app->getSecurity()->encryptByPassword($password, $this->secretKey);
}
If needed you can also implement setter and getter methods inside your model like :
public function getPassword()
{
return Yii::$app->getSecurity()->decryptByPassword($this->password_hash, 'THE_SECRET_YOU_ALREADY_HAVE_CHOOSEN');
}
public function setPassword($password)
{
$this->password_hash = Yii::$app->getSecurity()->encryptByPassword($password, 'THE_SECRET_YOU_ALREADY_HAVE_CHOOSEN');
}
that you can use any where to retrieve the real password and at least keeping a decrypted version of it in database :
<?= $form->field($model, 'password')->passwordInput() ?>
You may also find more about security helper methods here.
Solution 2
You can't. That's the whole point of hashing passwords, so they can't be reversed to the original plaintext.
Jsparo30
A Skilled FullStack PHP/Magento/Laravel Developer experienced in building web-based solutions.
Updated on June 09, 2022Comments
-
Jsparo30 almost 2 years
I want to show the decrypt password in update form as the line
<?= $form->field($model, 'password_hash')->passwordInput() ?>
show the full length encrypted password like:
$2y$13$4SUKFKV03ZolfDwLIsZRBuD4i7iELPZRMEJojODgP3s5S4dER.J0m
whish it is encrypted password for
123456
-
Keyne Viana about 8 yearsYou could depending on the hash algorithm!
-
Tom Carrick about 8 yearsNo. It's not a hash if you can decrypt it. A hash is a one way function.
-
Keyne Viana about 8 yearsRight, but maybe the OP doesn't know about two-way encryption.
-
Tom Carrick about 8 yearsOk, but that's not what was asked. And in any case, this is a very bad idea. If someone gains access to his account, say by session hijacking or even just jumping on their computer when they're not looking, they can now see his password by going to the edit page, and chances are, the user uses this password on many sites...
-
Jsparo30 about 8 yearsThe problem which i suffer from is the form saves updated password as the encrypted password, so i can't login again.