Comparing passwords with crypt() in PHP
Following code example may answer your questions.
To generate hashed password using Blowfish, you first need to generate a salt, which starts with $2a$ followed by iteration count and 22 characters of Base64 string.
$salt = '$2a$07$usesomadasdsadsadsadasdasdasdsadesillystringfors';
$digest = crypt('rasmuslerdorf', $salt);
Store the whole $digest in database, it has both the salt and digest.
When comparing password, just do this,
if (crypt($user_input, $digest) == $digest)
You are reusing the digest as salt. crypt knows how long is the salt from the algorithm identifier.
PHP Crypt() Compare two crypted strings
Just check the PHP Manual on crypt
. The example clearly states how you can validate the password (so how to compare).
<?php
$hashed_password = crypt('mypassword'); // let the salt be automatically generated
/* You should pass the entire results of crypt() as the salt for comparing a
password, to avoid problems when different hashing algorithms are used. (As
it says above, standard DES-based password hashing uses a 2-character salt,
but MD5-based hashing uses 12.) */
if (crypt($user_input, $hashed_password) == $hashed_password) {
echo "Password verified!";
}
?>
You can (of course) compare two hashed passwords directly (as they are both strings), but they are just not guaranteed to be equal.
Just be careful that crypt
may not be "very" secure. Read more at Secure hash and salt for PHP passwords and see the PHP manual entry about password hashing: http://php.net/faq.passwords - that should get you started.
I can't compare password from my database and the one inputted
I don't know what to say that will add more detail than what everyone else has already said...
So, in modern day hash/unhashing algorithms it would be unsafe to store passwords using standard hashing functions (e.g. MD5 / SHA256) as it is quick and easy to unhash this type of entry.
password_hash()
as referenced in other answers and comments should be you're #1 way to safely store passwords as it uses a one way hashing algorithm.
You should read this page!
And then in response to your original question, use hash_equals()
function to compare passwords.
Comparing two encrypted string with blowfish - php
Simply pass the user input from the form into the crypt function, with the hash in the database.
For example:
<?php
if (crypt($passwordFromPost, $hashedPasswordInDb) == $hashedPasswordInDb)
{
// User has been authenticated
}
Comparing hash value of password in PHP
EDIT:
I see now that you are using a salt when you compare the passwords. In your line:
$pwdhash = crypt($pwdtocheck, $hash);
the $hash
variable has the salt prepended to it because crypt()
will automatically do that for you. crypt()
will extract the salt from the $hash
because it knows the expected length of the salt based on the algorithm used. See the documentation.
I'll keep my original answer below for context and for those looking for a similar answer.
END EDIT
The password is not the same for you because you are using a salt
when you originally hash the password to put in your database, but you are not salting the password later when you check against the database.
You should use the same salt string when you save the password as when you check the user's password on login. Usually, you will randomly generate the salt string for each password (as you are doing) and then save the salt string to the database along with the hashed password (either in the same column or its own column) so that you can use the same salt to check the user's password on login.
See https://crackstation.net/hashing-security.htm#salt for reference.
PHP crypt(), UPDATE and Comparisons
Ther is a much easier way to solve the problem:
// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);
// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);
The algorithm MD5 is not a good choice to protect passwords because it is designed to be fast and can be brute-forced too easily.
Storing the password/hash in the session is not very helpful, if you know it is the same user, you know if he is already logged in, just store an indicator in the session like $_SESSION['is_logged_in'] or just the username $_SESSION['username'].
Related Topics
PHP - Detect Whitespace Between Strings
How to Redirect to Different Url Based on Roles in Symfony 2
What Is the Safest Way of Passing Arguments from Server-Side PHP to Client-Side JavaScript
Remove Non English Characters PHP
How to Format Messages for Queueing
Bulk Rename Files in a Folder - PHP
Handling Multiple File Uploads in Sonata Admin Bundle
Backup a MySQL Database and Download as a File
PHP Call Class Method/Function
Does PHP's $_Request Method Have a Security Problem
Is It Really That Wrong Not Using Setters and Getters
[PHP Warning: Mail(): " Sendmail_From" Not Set in PHP.Ini or Custom "From:" Header Missing
Troubleshooting "The Use Statement with Non-Compound Name ... Has No Effect"