Compare numeric keypad combination with user bcrypt

1
Speaking people, I'm developing a numeric keypad just like banks, where the user selects a combination of numbers, but has to make a comparison with his stored password in bcrypt. The password is always 6 numeric digits (it gets easier, right?))

The keyboard:

<div class="password-keyboard">
<div class="row">
    <div class="col-md-4">
        <button class="btn btn-light btn-block" id="btnNumber_1" onclick="digitaCaracter('1')">1 ou 8</button>
        <input type="hidden" id="btnNumberVal_1" name="btnNumber[]" value="1,8" />
    </div>
    <div class="col-md-4">
        <button class="btn btn-light btn-block" id="btnNumber_2" onclick="digitaCaracter('2')">7 ou 2</button>
        <input type="hidden" id="btnNumberVal_2" name="btnNumber[]" value="7,2" />
    </div>
    <div class="col-md-4">
        <button class="btn btn-light btn-block" id="btnNumber_3" onclick="digitaCaracter('3')">5 ou 4</button>
        <input type="hidden" id="btnNumberVal_3" name="btnNumber[]" value="5,4" />
    </div>
    <div class="col-md-4">
        <button class="btn btn-light btn-block" id="btnNumber_4" onclick="digitaCaracter('4')">3 ou 6</button>
        <input type="hidden" id="btnNumberVal_4" name="btnNumber[]" value="3,6" />
    </div>
    <div class="col-md-4">
        <button class="btn btn-light btn-block" id="btnNumber_5" onclick="digitaCaracter('5')">9 ou 0</button>
        <input type="hidden" id="btnNumberVal_5" name="btnNumber[]" value="9,0" />
    </div>
    <div class="col-md-4">
        <a class="btn btn-light btn-block" onclick="removeCaracter()"><i class="fa fa-arrow-left"></i></a>
    </div>
</div>

Each time you open the keyboard, the digits change:

for (var array=[],i=0;i<=9;++i) array[i]=i;
// http://stackoverflow.com/questions/962802#962890
var tmp, current, top = array.length;
if(top) while(--top) {
    current = Math.floor(Math.random() * (top + 1));
    tmp = array[current];
    array[current] = array[top];
    array[top] = tmp;
}

var nmbArr = array;
for (var i = 0; i<=4; i++) {
    $('#btnNumber_'+(i+1)).html(nmbArr[i*2]+' ou '+nmbArr[(i*2)+1]);
    $('#btnNumberVal_'+(i+1)).val(nmbArr[i*2]+','+nmbArr[(i*2)+1]);
}

The keyboard is working which is a beauty:

Thebeingsentisbeingcaughtnormal.The"problem" is how I am going to do to compare the combinations with the user password that is in hashing bcrypt

Does anyone have an idea how I'm going to validate these combinations? Will I have to check 64 times (2 ^ 6) ???

    
asked by anonymous 10.04.2018 / 19:37

2 answers

2

If the final password is in hashing crypt , YES! For it is impossible to decrypt it for an analysis of each character. Then you will have to encrypt all possible passwords and validate them.

But you can optimize this validation with SQL.

$senhasPossiveis = array(
    "sajEeYaHYyeSU";
    "saepDgtryRTsw";
    "saQ30SFLolsHo";
    "saIie8xFtO5cg";
    "saIie8xFtO5cg";
    "saepDgtryRTsw";
    "saepDgtryRTsw";
    "saIie8xFtO5cg";
    "saepDgtryRTsw";
    "saIie8xFtO5cg";
);

$sql = "SELECT senha, email FROM usuarios WHERE email = '$email' AND ( ";
foreach($senhasPossiveis as $senha){
    $sql .= "senha = '".$senha."' OR ";
}
$sql .= substr($sql, 0, -3).")";

In the end your query will look like this:

SELECT senha, email FROM usuarios WHERE email = '$email' AND ( 
senha = 'sajEeYaHYyeSU' OR
senha = 'saepDgtryRTsw' OR
senha = 'saIie8xFtO5cg' OR
senha = 'saepDgtryRTsw' OR
senha = 'sajEeYaHYyeSU' OR
senha = 'saIie8xFtO5cg' OR
senha = 'sajEeYaHYyeSU' OR
senha = 'saIie8xFtO5cg')

ALTERNATIVE

This solution is also good

You can use password_verify

if (password_verify('12345', 'sajEeYaHYyeSU')) {
    echo 'Senha válida';
} else {
    echo 'Senha errada';
}

Then, you can do the select in the bank, rescue the password in hash and check by php the combinations without encrypting password by password. I think it's better. You would need to do tests.

    
10.04.2018 / 20:26
2

As you did not answer @Andrei Coelho, I managed to do so:

    $arrComb = [];
    foreach ($request->btnNumber as $nr => $val) {
        $arrComb[$nr] = explode(",", $val);
    }

    $senha = $request->senha;

    $max = (1 << strlen($senha));
    $arrAux = [];
    for ($i = 0; $i < $max; $i++) {
        $arrAux[] = str_pad(decbin($i), strlen($senha), '0', STR_PAD_LEFT);
    }

    $combs = [];
    foreach ($arrAux as $vals) {
        $nr = '';
        for ($posDig = 0; $posDig <= strlen($senha) - 1; $posDig++) {
            $idx = $senha[$posDig];
            $nr .= $arrComb[$idx][$vals[$posDig]];
        }
        $combs[] = $nr;
    }

    //verificando as combinações possíveis
    foreach ($combs as $value) {
        if (password_verify($value, $userPassword)) {
            return true;
        }
    }

    return false;

If anyone has any comments or improvements, they are welcome

    
10.04.2018 / 23:36