shtukas
commented
8 years ago Ok, so we have two kinds of users. The regular mobile apps users and the admins.
The regular users do not have a password per se. The server authenticates them using their phone number (or device number, I need to double check). In any case they do not have a password.
The admin users (eg Robyn), have a user name and a password (to login to desk). The password is hashed by Laravel own password hashing interface, which uses Bcrypt. Looks like this in the database $2y$10$ZQo4xwwLcaWMnyzTK8LtXuiXg/SY23D1A80vF.1naNE2yqvEyiF3C (In particular I cannot recover the previous devs admin passwords) [Note that I will delete their account in the next few days].
richardbuckle
Pascal, could you please investigate how passwords are stored server-side from a security point of view.
The criterion should be that if the worst happens and the database gets stolen, it should still be impossible to recover any user's password. To that end, the password itself should never be stored, whether encrypted or not. Only a salted one-way hash, using a computationally expensive cryptographic hash such as scrypt should be stored.
If you've any questions please ask.