PHP BCrypt for Ruby on Rails Devise passwords

Question

I am trying to verify with PHP some passwords generated by Devise Ruby on Rails. Devise was configured to use bcrypt.

My code is:

$database_record = "$2a$10$..."; // generated by devise
$user_input = 'asdasd';
$password = crypt($user_input, '$2a$10$usesomesillystringforsalt$');

if (crypt($user_input, $database_record) == $password) {
    echo "<br/>Password verified!";
}
else {
    echo '<br/>failed!'; }

The documentation that I saw are using this method, but it doesn't work for me. Am I forgetting something? The "pepper string" should be used in any way? Thanks!

Answer 1

I'm confused about this part.

$password = crypt($user_input, '$2a$10$usesomesillystringforsalt$');

I think you got confused by a later part of the documentation specifying how to create a hash and guarantee that it's bcrypt. In your case, you're verifying a hash so it will automatically do that.

What you want to do is skip that and do:

if (crypt($user_input, $database_record) == $database_record) {

So if this works how I'd expect it to, crypt($user_input, $database_record) will take the salt from $database_record and use it to run bcrypt on $user_input. Then you want to compare the result to $database_record again since it's the bcrypt hash of the correct password.

Answer 2

Using PHP 5 >= 5.5.0

$pepper = 'xxxyyyzzz'; //get value from config/initializers/devise.rb
$password = '12345678'; //clear password to validate

$db_pass = '***************************'; //password stored on database

$options = [
    'salt' => substr($db_pass,7)
];

$ok = ($db_pass == password_hash($password.$pepper, PASSWORD_BCRYPT, $options));