I prefer to use qpdf as it’s easy to install via brew also in macOS, while pdftk isn’t.
qpdf --password=$PASS --decrypt $INPUT_PDF clear_$INPUT_PDF
Original article: link
Tag: password
As nobody would store plain password in a database, I’d like to write a short memo on how to encrypt passwords to be safely store them in our databases.
The first concept is hashing. In brief we use a function that takes a string as input (i.e. our plain text password) and produces an output that is different for each input string, but without the possibility to reverse the process. An once popular hashing algorithm was MD5, that is now believed to be not enough secure. Better alternatives include SHA-2 and Blowfish. In PHP we have this function to hash:
$hashedString = hash('sha1', $inputString);
The second concept is salting. Given that is almost impossible to guess the password given its hash, its possible to pre-compute million of hashes and use this database to predict the hidden password. This approach is referred to as rainbow tables. To avoid this the trick is to encrypt (hash) the string with some further text. This is salting.
The simplest form of salting is to encrypt a string like ‘this is the salt for a {$string}’, but if the salt is stored somewhere it is also possible to find it, and moreover if a single user uses a weak password and somehow the hacker cracks it, he will also able to use the same salt for any other password. In PHP we use the hash() function only for to check integrity of contenct, not to crypt passwords, as we have a dedicated one:
$hashedPassword = crypt($password, $salt);
The salt parameter is slightly more complex than a bunch of chars though…
How to salt passwords with PHP
The crypt functions require a form of salt that includes a format string, indicating both the algorithm (I use 2y for Blowfish) and the cost (higher=stronger) of the process:
$password = 'myPassword'; $hash_format = "$2y$10$"; // 2y=blowfish; 10=cost of algorithm $salt = "ThisIsMyLong1234567890Salt"; // has to be > 22 chars echo 'Salt size: ' : strlen($salt); $format_and_salt = $hash_format. $salt; $hash = crypt($password, $format_and_salt);
Given that the “salt” contains the format as well, we can compare hashes like this:
if (hash_equals($hashed_password, crypt($user_input, $hashed_password))) {
echo "Password verified!";
}
A quicker way (than this) to set up a password-less login to a server via SSH:
ssh-keygen -t rsa(When prompted for a password, leave it blank). Then:
cat ~/.ssh/id_rsa.pub | ssh username@hostname 'cat >> .ssh/authorized_keys'
It should be noted that the first step is needed only the first time. Then you can repeat the second command for every other server.
Update: For the impatient people:
ssh-keygen -t rsa && ssh-copy-id -i ~/.ssh/id_rsa.pub
It’s handy to log into our machine, and then to be able to access all machines of our network (or even remote machines) via SSH, without having to enter the password each time. We can avoid manual authentication generating an authentication key in our machine, and then adding that key to the list of authorized keys in remote machines.
Of course this give to our computer a strong power: we need to have extra care in its protection…
Generally speaking this is a two step procedure:
STEP1: generate your authentication key
$ ssh-keygen -b 2048 -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/utente/.ssh/id_rsa): (hit ENTER) Created directory '/home/utente/.ssh Your identification has been saved in /home/utente/.ssh/id_rsa. Your public key has been saved in /home/utente/.ssh/id_rsa.pub. The key fingerprint is: 90:98:4f:f5:69:39:57:5d:46:83:a4:a2:d6:63:3c:25
STEP2: import your auth file in the remote server
Then you have to append into the authorized_keys file (it’s in your .ssh directory) the file you just created locally.
First scp the file to your remote home, then append it… easy?
$ scp ~/.ssh/id_rsa.pub user@remotehost $ ssh user@remotehost $ cat id_rsa.pub >> .ssh/authorized_keys $ rm id_rsa.pub
/home/telatin 