Password hashing

Hi guys,

after reading the documentation ( http://www.codeigniter.com/user_guide/ge...d-handling ) about security in password, i've changed my signup form to this:

Code:

$data = array(
'PASSWORD'    =>    password_hash($this->input->post('password'), PASSWORD_BCRYPT)
);
$this->user->save_user($data)

I can see my password saved in the DB with different characters which is "hash".

Now when i want to login the password is not valid.
How am i getting the password in login page is:

Code:

$this->user->login_access(array(
'PASSWORD'     =>     $this->input->post('password')
);

Note: My code in without hashing is working

I believe i need to do something to change the standard chars to hash then check with DB.
I'm stuck in this part.

Any idea?

You need to hash their supplied password (retrieved via post) and compare it against the hashed password in the db.

If you use password_hash, you can use password_verify, this is the recommended method on php.net
http://php.net/manual/en/function.password-verify.php

You need to hash their supplied password (retrieved via post) and compare it against the hashed password in the db.

If you use password_hash, you can use password_verify, this is the recommended method on php.net
http://php.net/manual/en/function.password-verify.php

s/can/must/

password_verify() is the only way.

I've read the password_verify(). i can see the example there like this:

Code:

$hash = '$2y$07$BCryptRequires22Chrcte/VlQH0piJtjXl.0t1XkA8pw9dMXTpOq';

if (password_verify('rasmuslerdorf', $hash)) {
   echo 'Password is valid!';
} else {
   echo 'Invalid password.';
}

now I'm trying to login like this code: (but i don't know whats my problem that its not working!)

Code:

$username = $this->input->post('username');
$password = $this->input->post('password');
$password_h = password_hash($this->input->post('password'), PASSWORD_BCRYPT);

$access = $this->user->login_access(array(
    'USER_NAME'     =>    $username,
    'PASSWORD'         =>    password_verify($password, $password_h)
));

and my login_access() is:

Code:

function login_access($cond = array())
{
    return $this->db->get_where($this->tablename, $cond)->result();
}

You must retrieve the password in the database by username, then use password_verify to compare two passwords.

PHP Code:

// code to login
$username = $this->input->post('username');
$password = $this->input->post('password');

$access = $this->user->login_access($username, $password);

//
function login_access($username, $password)
{
    $query = $this->db->get_where('USER_NAME', $username);
    if ($query->num_rows() > 0)
    {
        $user_row = $query->row();
        return password_verify($password, $user_row->PASSWORD);
    }
    
    return FALSE;
} 


@ardavan

Your code is wrong.
Place the following code within a page, reload it several times and you will find out why.

Code:

echo '<br />';

$password = 'test';

$password_h = password_hash($password, PASSWORD_BCRYPT);
// Note that every time a hash is produced,
// it is different than the previous one.
// It is for prevention dictionary attacks.
echo $password_h;

echo '<br />';

$password_at_login = 'test';

$success = password_verify($password_at_login, $password_h);
var_dump($success);

echo '<br />';

@ardavan

Your code is wrong.
Place the following code within a page, reload it several times and you will find out why.

Code:

echo '<br />';

$password = 'test';

$password_h = password_hash($password, PASSWORD_BCRYPT);
// Note that every time a hash is produced,
// it is different than the previous one.
// It is for prevention dictionary attacks.
echo $password_h;

echo '<br />';

$password_at_login = 'test';

$success = password_verify($password_at_login, $password_h);
var_dump($success);

echo '<br />';

@ivantcholakov 

wait wait...
You said every time the hash will change...!
 
I think totally i got wrongly because I've saved the hashed password after register inside the DB.

correct me if I'm wrong : So I've to save the standard chars inside the DB AND i should use password_hash() & password_verify() for login.

@ardavan

Your code is wrong.
Place the following code within a page, reload it several times and you will find out why.

Code:

echo '<br />';

$password = 'test';

$password_h = password_hash($password, PASSWORD_BCRYPT);
// Note that every time a hash is produced,
// it is different than the previous one.
// It is for prevention dictionary attacks.
echo $password_h;

echo '<br />';

$password_at_login = 'test';

$success = password_verify($password_at_login, $password_h);
var_dump($success);

echo '<br />';

@ivantcholakov 

wait wait...
You said every time the hash will change...!
 
I think totally i got wrongly because I've saved the hashed password after register inside the DB.

correct me if I'm wrong : So I've to save the standard chars inside the DB AND i should use password_hash() & password_verify() for login.

These two functions have different purposes and you're mixing them.

- Use password_hash() when you store a new password (creating new user, changing an old password)
- Use only password_verify() for login.

@Narf
Thanks for useful explaining.

With your explaining and other friends, I've change my code:

PHP Code:

$username = $this->input->post('username');
$password = $this->input->post('password');
                
$password_hashed = $this->user->get_one_by(array('USER_NAME' => $username))->PASSWORD;
var_dump($password_hashed);

var_dump(password_verify($password, $password_hashed)); 


And the result is

Code:

string(45) "$2y$10$B7uJAngw0wtDtncMpsOfvetyFCg//VqdnqjdEZ" bool(false)

My entry password is "zz" which is during registering changed to hash and then saved in the DB.

My password in the db is

Code:

$2y$10$B7uJAngw0wtDtncMpsOfvetyFCg//VqdnqjdEZ

My get_one_by() function is in my model:

PHP Code:

function get_one_by($cond = array())
{
    $result = $this->db->get_where($this->tablename, $cond);
    if ($result->num_rows()) return $result->row();
        
} 


the password_verify() always is FALSE !