PHP Password_Hash and Password_Verify Issues No Match

php password_hash and password_verify issues no match

The problem with your code is that you are using the double quotation marks " instead of the single quotation marks ' when dealing with your hash.

When assigning:

$hash = "$2y$10$fXJEsC0zWAR2tDrmlJgSaecbKyiEOK9GDCRKDReYM8gH2bG2mbO4e";

It's making php think you have a variable called $2y and another one called $10 and finally a third one called $fXJEsC0zWAR2tDrmlJgSaecbKyiEOK9GDCRKDReYM8gH2bG2mbO4e. Which obviously isn't the case.

I noticed when turning on error reporting that the error:

Notice: Undefined variable: fXJEsC0zWAR2tDrmlJgSaecbKyiEOK9GDCRKDReYM8gH2bG2mbO4e

Was being thrown by PHP.

Replace all your double quote marks with single quote marks to fix.

E.g

$hash = '$2y$10$fXJEsC0zWAR2tDrmlJgSaecbKyiEOK9GDCRKDReYM8gH2bG2mbO4e';

Treats the whole hash as a literal string instead of a string with embedded variables.

php password_hash and password_verify looked all over still doesn't work

Store the hash

Have you checked that agent_password is storing a hash generated by:

password_hash( $password, PASSWORD_DEFAULT );

Check PDO standards

Probably has no effect, but it is worth following standards for the differnt implementations of bindParam. If you're using the ? method, then:

 $s->bind_param( 1, $username );

There are several odd implementations of PDO in your script, try adjusting:

 $s->execute();

 //$hash = $s->get_result();
 //$hash = $hash->fetch_array( MYSQLI_ASSOC );
 $hash = $s->fetchColumn();

Change subsequent calls of $hash['agent_password'] to just $hash instead.

Test Basic Operation

Test the folowing:

// $password = $_POST["password"];
$password = "password";

Then, also try storing that hash, and retrieving it again, from mysql, prior to the final verify step.

Finally

I deeply suspect that what is stored in agent_password is not in fact a password hashed with password_hash.

password_verify not matching after writing to database

I simulated your code without database and form fetching, and it runs ok. It means there's something wrong either with your database or with your POST fields.

// New user - add them to database
echo "Creating your account. <br>";
$pwd = '12345';
//$password = password_hash(trim($_POST['password']), PASSWORD_DEFAULT);    
$password = password_hash($pwd, PASSWORD_BCRYPT);   
echo $password . '<br>';

$dbpwd = $password;

echo $dbpwd . '<br>';
if(password_verify(trim($pwd), $dbpwd))
{
    echo 'Match<br>';
}
else
{
    echo 'Match failed<br> ';
}

Output:

Creating your account.
$2y$10$iw6fSApO7Ok0ySZ.OsQqbe.DpVrvzJ86ZYIsWYg5060hyXbBYEiee
$2y$10$iw6fSApO7Ok0ySZ.OsQqbe.DpVrvzJ86ZYIsWYg5060hyXbBYEiee
Match

Use var_dump on your hashed $password var before the INSERT, then again with your $dbpwd after the SELECT and see if you get anything wrong. Also, check your PHP project scripts and your database schema for conflicting charset definitions.

PHP password_hash and password_verify weird issue not verifying

You've got an extra dollar sign here:

return password_hash($this->$password, PASSWORD_BCRYPT);

You've accidentally made a variable variable. Do this instead:

return password_hash($this->password, PASSWORD_BCRYPT);

Note your code should be generating a PHP warning that points directly to the issue. So... don't disable those.

Issue with password_hash and password_verify, always returning true in one case, false in another

I find out where my mistake were;

I had this database-connection.php file :

$host = 'localhost';
$dbname = 'japonwebsite';
$user = 'root';
$password = 'mysql';

try
{
  $database = new PDO("mysql:host=$host;dbname=$dbname;charset=utf8", $user, 
  $password);
}
catch (Exception $e)
{
  die('Erreur : ' . $e->getMessage());
}

I include this file on all the pages where I need to connect to database, so I have it included on the page to add users to database and the one that verify log in.

Thing is, on both of those pages, I was doing $password = $_POST['password']; to stock in a variable the password entered by the user on the sign in or sign up form.

After that, i was doing include('database-connection.php'); to connect to database. So $password was always equal to mysql, because I also have a variable $password in database-connection.php. So I was always adding the hash of "mysql" in the database, and always verifying that the hash in the database was equal to "mysql", so it was always true. I Just renamed the variable $password in database-connection to fix it !

PHP password_hash and password_verify incorrect false positive?

As MarkBaker already mentioned in his comment, this is a limitation of the BCrypt algorithm, which truncates passwords to 72 characters. For passwords this is more than enough and not a security problem, but in your case it seems you reach this limit because you want to add a pepper.

Never should a password be truncated because of adding a pepper. A pepper can increase security of weak passwords. Assuming that the pepper is of reasonable size, passwords which reach the limitation are very strong, and for those passwords a pepper is not necessary. So if you put the pepper at the end, you loose a part of the pepper, which is better than loosing a part of the password.

That said, there are much better ways to add a pepper. You get the same benefits from encrypting (twoway) the hash with a server side key. This key is actually similar to the pepper, but you have the advantage that you can exchange the key whenever this seems necessary (a pepper becomes part of the password and cannot be changed until the next login). I tried to explain this at the end of my tutorial about safely storing passwords. If encryption is not an option for you, then at least use a HMAC to combine the pepper with the password.

---

Related Topics