Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Using CodeIgniter Best Practices Password hashing
Password hashing
  • Offline Narf
    Me
  • *******
  • Posts: 1,589
    Threads: 1
    Joined: Oct 2014
    Reputation: 121
#11
08-13-2015, 08:02 AM

(08-13-2015, 07:46 AM)ardavan Wrote: ...
Code:
string(45) "$2y$10$B7uJAngw0wtDtncMpsOfvetyFCg//VqdnqjdEZ" bool(false)
...

the password_verify() always is FALSE !  Huh

This is an incomplete hash, probably truncated by a field-length limit that you've set on your database table. bcrypt produces a 60-character hash, yours is only 45 and it could never validate (actually, it probably contains just the salt).

The solution is to change your password field to varchar(255) (yes, 255; for forward-compatibility) and re-hash your passwords.

Also, you should implement a minimum password length policy ... I know you're probably just testing right now, but no one should ever be allowed to use 'zz' as a password.
Reply


Messages In This Thread
Password hashing - by ardavan - 08-12-2015, 07:35 AM
RE: Password hashing - by CroNiX - 08-12-2015, 07:51 AM
RE: Password hashing - by mariek - 08-12-2015, 08:25 AM
RE: Password hashing - by Narf - 08-12-2015, 09:26 AM
RE: Password hashing - by ardavan - 08-13-2015, 04:28 AM
RE: Password hashing - by pdthinh - 08-13-2015, 05:48 AM
RE: Password hashing - by ivantcholakov - 08-13-2015, 06:04 AM
RE: Password hashing - by ardavan - 08-13-2015, 07:11 AM
RE: Password hashing - by Narf - 08-13-2015, 07:15 AM
RE: Password hashing - by ardavan - 08-13-2015, 07:46 AM
RE: Password hashing - by Narf - 08-13-2015, 08:02 AM
RE: Password hashing - by ardavan - 08-22-2015, 09:56 PM
RE: Password hashing - by mwhitney - 08-24-2015, 07:28 AM



Theme © iAndrew 2016 - Forum software by © MyBB