4

I'm converting an existing php based website to a node.js app, and I need to reproduce this encryption method from php to js.

private static $_passwordSalt = 'd2g6IOP(U(&§)%U§VUIPU(HN%V/§§URerjh0ürfqw4zoöqe54gß0äQ"LOU$3wer';
public static function getCryptedPassword($password = 'password') {
    return sha1(md5(self::$_passwordSalt.$password));
}

So far I've tried this but it does not return the same results:

UserSchema.methods.hashPassword = function(password) {
        var salt = 'd2g6IOP(U(&§)%U§VUIPU(HN%V/§§URerjh0ürfqw4zoöqe54gß0äQ"LOU$3wer'
        var md5Hash = md5(password + salt);
        var hash = sha1(md5Hash);
        return hash;
};
Andrew Lavers
  • 8,023
  • 1
  • 33
  • 50
David Nelband
  • 417
  • 1
  • 4
  • 17
  • 1
    For a start, you're doing `md5(salt, password)` in your PHP and `md5(password, salt)` in your JavaScript. – Ben Fortune Apr 01 '15 at 12:11
  • ive tried all the different combinations: md5(salt,password),md5(password,salt),sh1(md5,salt),sha1(salt,md5), but still it doesnt work – David Nelband Apr 01 '15 at 12:18
  • 1
    You shouldn't be using md5 or sha1 or any combination of the two to store passwords. In PHP the best way to store passwords is [password_hash()](http://php.net/password_hash) which (currently) uses bcryt. Here's a node.js implementation of bcrypt: https://github.com/shaneGirish/bcrypt-nodejs – Mike Apr 07 '15 at 19:02
  • You know this is an awful unsecure way to work with passwords? A static salt is actually not a salt, and MD5 is ways too fast to hash passwords, you can brute-force about [8 Giga MD5/s](http://hashcat.net/oclhashcat/#performance). You should use a slow hash function with a cost factor instead, see the [password_hash()](http://www.php.net/manual/en/function.password-hash.php) function. – martinstoeckli Apr 29 '15 at 08:38

5 Answers5

3

please try these:

    var crypto = require('crypto');
var salt = 'd2g6IOP(U(&§)%U§VUIPU(HN%V/§§URerjh0ürfqw4zoöqe54gß0äQ"LOU$3wer'
var password = 'pass';

var hashMd5 = crypto.createHash('md5').update(salt + password).digest("hex");
var hasSha1 = crypto.createHash('sha1').update(hasMd5).digest("hex");
console.log(hashSha1);

as file: hash.js

And as hash.php these code:

<?php

$_passwordSalt = 'd2g6IOP(U(&§)%U§VUIPU(HN%V/§§URerjh0ürfqw4zoöqe54gß0äQ"LOU$3wer';
$password = 'pass';

//echo md5("phinware");
echo sha1(md5($_passwordSalt.$password));
echo "\n";

And than execute both files:

  • > php hash.php
  • > node hash.js

My results:

both: 3cbd1242e8e510a16f39d7e0bfd18a0e03d0de3f

Ronald
  • 46
  • 1
1

php:

$a = 'a';
$b = 'b';
echo md5($a.$b);

equals to node.js: 

var crypto = require('crypto');
var a = 'b', b = 'b';
var md5 = crypto.createHash('md5');
md5.update(xml, 'utf8');
md5.update(config.secret, 'utf8');
console.log(md5.digest('hex'));
aGuegu
  • 1,813
  • 1
  • 21
  • 22
0

Try this using crypto module:

var crypto = require('crypto');

UserSchema.methods.hashPassword = function(password) {
    var salt = 'd2g6IOP(U(&§)%U§VUIPU(HN%V/§§URerjh0ürfqw4zoöqe54gß0äQ"LOU$3wer';
    var hashStr = password + salt;
    var md5Hash = crypto.createHash('md5').update(hashStr).digest('hex');
    var sha1 = crypto.createHash('sha1').update(md5Hash).digest('hex');
    console.log(sha1); 
    return sha1;
};
rjmacarthy
  • 2,164
  • 1
  • 13
  • 22
  • nope, this return a string which has less charecters so i think its wrong. ive tried to wrap this with the sha1 encryption but its still wrong – David Nelband Apr 01 '15 at 12:46
0

You need to consider that a hash algorithm works on byte values, and you are using string values. This means that encoding will come in to play here, and from what I know PHP uses latin1 by default, while node.js uses utf-8.

crypto.createHash('md5').update(hashStr, 'ascii').digest('hex')

I'm not sure if ascii only handles 7-bit ascii or actual extended charsets like latin1, but it seems to be the only one supported directly in the update() method. If you need to control the extended charset, you should create a Buffer from the correct encoding, and use that as parameter to update() instead. The built in support in node.js is rather limited:

Buffer.isEncoding = function(encoding) {
  switch ((encoding + '').toLowerCase()) {
    case 'hex':
    case 'utf8':
    case 'utf-8':
    case 'ascii':
    case 'binary':
    case 'base64':
    case 'ucs2':
    case 'ucs-2':
    case 'utf16le':
    case 'utf-16le':
    case 'raw':
      return true;

    default:
      return false;
  }
};

And you should consider using some other tool to convert it. This thread (List of encodings that Node.js supports) suggests using iconv or iconv-lite.

Of course, the same applies to SHA1, but since you are using SHA1 on a hex representation of an MD5, it would never fall out of 7-bit ascii (where latin1 and utf-8 would produce the same byte sequence).

Community
  • 1
  • 1
jishi
  • 24,126
  • 6
  • 49
  • 75
0

here is the currect solution

var md5 = require('MD5'),
    sha1 = require('sha1');

var salt = 'd2g6IOP(U(&§)%U§VUIPU(HN%V/§§URerjh0ürfqw4zoöqe54gß0äQ"LOU$3wer';
var hash = sha1(md5(salt+password));
return hash;
David Nelband
  • 417
  • 1
  • 4
  • 17