0

I'm using phpass's bcrypt functionality to hash a password on my site. Now, it wouldn't really work. Trying to compare with the CheckPassword function wouldn't work. I made a vast debugging of every string coming out through every function I used to decrypt the hashes and came to the conclusion that the hash generated by bcrypt is pretty random. So, the newly generated hash of the plaintext password would never match the one in my database. Is that true? If so, how the hell do I make it work? Source code is rather simple.

// when creating user 
<db insert code>$hash->HashPassword($_POST['password']);

// when logging in
return $hash->CheckPassword($user->password, $_POST['password']);
Improve this question
1
  • Are these two lines of code being run on the same server? phpass will automatically downgrade (i.e., not actually use bcrypt) if it's not available on your server's PHP config. Commented Feb 25, 2012 at 16:24

1 Answer 1

Reset to default
1

Edit: The problem is you have the order wrong, you need the password, then the stored hash.

$check = $hasher->CheckPassword($password, $stored_hash);

Source

This matters, as I said before (below) the stored hash is used to decide how to hash the password to compare, hence your wrong argument order will cause failure.

Answer from before:

You don't decrypt a hash, you check it by hashing the comparable data in the same way. BCrypt hashes include the hash, the salt and the number of rounds, so there should be no problem in checking this.

The reason that the hashes are never the same is the salt will be different each time. This is to protect from rainbow table attacks.

As far as I can tell, your check is sound. The problem must be elsewhere. Are you sure that $user->password actually contains the hash in full? BCrypt hashes are 60 characters, so make sure it isn't being truncated.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

yeah I know I don't decrypt, I was just using that word for no good reason haha. Yes, I checked the stored hash and it's ok. Looking at the resulted hash when using CheckPassword, it shows the compared hash is never the same, I'm wondering what's wrong and why it wouldn't ever return a true boolean.
Updated with the answer, your CheckPassword has the argument order wrong.
Yes! Works now. Weird, the sample file showed it the other way around. Apparently I misread or misunderstood how the variables were used there.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.