1

I have the following code with a userpassword contains a blow fish secret and the user password itself.

The hash is another (not the secret and the password!!) but i still got a true as result:

<?php
## password (secret + userpass)
$pass = 'PNvH5GFfUKktXWpydfAMXMYKayjEP3GzfJbaenmzuAHSTv7rQgW8t4ShEKpdcD5nek8eArGQyfz9XRx6ARBc897YVdetest';

## hash
$hash = '$2y$10$9VGEg7HamRVDILsFV5dvJu3l5.Psfk4g6N8.Jcn6/gMhoZIKDLAAm';

## verify
$check = password_verify($pass, $hash);

## check
if(true === $check) {
    
    var_dump($check);
    
} else {
    
    echo "false";
    
}
?>

I have read a lot and think it can be a problem of the length! The algo is limited to 72 chars. For more security, we have a login with a blow fish secret. While hashing, we chain blow fish + userpassword to one big password, then hash it. While login we chain blow fish and userpass again and verify. The result of this is a big password which is hashed in db.

Improve this question
14
  • And why do you have the "following code"? What practical value does it have? Commented Aug 22, 2023 at 8:06
  • 2
    Does this answer your question? password_hash returns different value every time Commented Aug 22, 2023 at 8:07
  • 1
    The code ist an example while i created a login and won't show the whole script. I have read a lot and think it can be a problem of the length! The algo is limited to 72 chars. For more security, we have a login with a blow fish secret. While hashing, we chain blow fish + userpassword to one big password, then hash it. While login we chain blow fish and userpass again and verify. The result of this is a big password which is hashed in db. Commented Aug 22, 2023 at 8:13
  • 1
    Did you use password_hash with the PASSWORD_BCRYPT option? As per php.net/manual/en/function.password-hash.php that will indeed truncate the password to 72 characters. Demo: 3v4l.org/Y2pTX . If you want very long passwords, I suggest using a different algorithm which doesn't have this issue. Commented Aug 22, 2023 at 8:20
  • 1
    there is no info about the limit...there is - it's clearly mentioned in php.net/manual/en/… Commented Aug 22, 2023 at 8:31

2 Answers 2

Reset to default
2

Did you use password_hash with the PASSWORD_BCRYPT option (or with PASSWORD_DEFAULT, since Bcrypt is current the default algorithm)? As per the PHP documentation for password_hash that will indeed truncate the password to 72 characters.

Example of the issue:

$pass = 'PNvH5GFfUKktXWpydfAMXMYKayjEP3GzfJbaenmzuAHSTv7rQgW8t4ShEKpdcD5nek8eArGQyfz9XRx6ARBc897YVdetest';
$pass2 = 'PNvH5GFfUKktXWpydfAMXMYKayjEP3GzfJbaenmzuAHSTv7rQgW8t4ShEKpdcD5nek8eArGQ';

$hash = password_hash($pass, PASSWORD_DEFAULT);

echo $hash.PHP_EOL;

var_dump(password_verify($pass2, $hash));

Live demo: https://3v4l.org/Y2pTX .

If you want very long passwords, I suggest using a different algorithm which doesn't have this issue. Either that, or don't use the extra blowfish salt (which shouldn't be necessary), or at least reduce its length.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

-2

Please use password_hash() for generating the hash for the password then use this hash in password_verify() function.

<?PHP
 $pass = "secret_password";

 $hash = password_hash($pass, PASSWORD_DEFAULT); //please use this for generating the hash



## verify
$check = password_verify($pass, $hash);

 ## check
if(true === $check) {

   var_dump($check);

 } else {

    echo "false";

 }

?>
Improve this answer

1 Comment

I used this...$cpass = password_hash($bfs.$pass, PASSWORD_DEFAULT); But we still chain al blow fish secret with the userpassword and hash this. And that could be the problem since we are crossing a certain algorithm limit.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.