Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to verify password against database?

Tags:

php

hash

I went through many articles related to this topic, such as this:

Using PHP 5.5's password_hash and password_verify function

Yet, I'm unsure if I'm hashing and salting the correct way or over doing it!

I want to use my own salt and then hash. Both salt and hashed password stored in the database in two different fields.

This is how I hash the password before storing into database

$cost = 10;
$salt = strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.');
$salt = sprintf("$2a$%02d$", $cost) . $salt;

//shall I remove this line and replace below PASSWORD_DEFAULT  with PASSWORD_BCRYPT instead?
$password = crypt($data['password'], $salt);

$hash = password_hash($password, PASSWORD_DEFAULT);

Given that, I'm trying to verify the password as below: Somehow I feel that I'm complicating the process.

$salt=$row['salt'];//taken from db
$hashAndSalt=$row['hashpword'];//taken from db
$password="pwtester";//user keyed in password

$newpassword = crypt($password, $salt);
$newhash = password_hash($newpassword, PASSWORD_DEFAULT);


if (password_verify($password, $newhash)) {
   echo"verified";
}
else
{
    echo"Not verified"; 
}

EDITED:

Now I store like this:

$cost = 10;
$salt = strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.');
$options = array('cost' => $cost,'salt' => $salt);
$hash = password_hash($data['password'], PASSWORD_DEFAULT,$options);

But verification confusing:

$email = "[email protected]";
$uid= '555ca83664caf';
$sql = "SELECT *FROM authsessions WHERE email =:myemail AND useruuid =:uid";

$statement = $pdo->prepare($sql);
$statement->bindValue(':myemail', $email);
$statement->bindValue(':uid', $uid);
$statement->execute();
while( $row = $statement->fetch()) {
    echo "salt ".$row['salt']."<br/><br/>";
    echo "hashpassword ".$row['hashpword'];
}

$salt=$row['salt'];
$hashAndSalt=$row['hashpword'];
$password="test55";

$newhash = password_hash($password+$salt, PASSWORD_DEFAULT);


if (password_verify($newhash, $hashAndSalt)) {
   echo"verified";
}
else
{
    echo"Not verified"; 
}

It echoes "Not Verified"

like image 626
sherly Avatar asked May 20 '15 09:05

sherly


People also ask

How do you verify that a password matches its hash?

The password_verify() function can verify that given hash matches the given password. Note that the password_hash() function can return the algorithm, cost, and salt as part of a returned hash. Therefore, all information that needs to verify a hash that includes in it.

What is the Verify password?

The VERIFY PASSWORD command allows an application to check that a password matches the password recorded by an external security manager (ESM) for a user ID, and return values recorded by the external security manager for the password.

How can I know MySQL password in php?

Then use the password_verify() function to verify the user-entered password with a hashed password like below. So the recommended approach to save and verify the password is. Use the password_hash() function to generate the one-way hashed password. Use the password_verify() function to verify the passwords.

How do I find MySQL username and password?

So for example, to show MySQL users' username, password and host, we'll modify the sql query to accordingly as such: mysql> select user, password, host from mysql. user; The above sql query will present you with a list of users and their respective user name, password and database host.


1 Answers

The function password_hash() is just a wrapper, internally it generates a cryptographically safe salt and then calls the crypt() function to calculate the BCrypt hash.

So there is no reason to do the same steps yourself (do not call crypt() and do not generate a salt). Generating your own salt is not recommended, because you cannot do it better than the password_hash function does. Also there is no reason to store the salt in a separate db column, it is already part of the resulting hash-value.

// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);

// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);
like image 162
martinstoeckli Avatar answered Oct 14 '22 08:10

martinstoeckli