Welcome Guest, Not a member yet? Register   Sign In
Password hashing
#1

Hi guys,

after reading the documentation ( http://www.codeigniter.com/user_guide/ge...d-handling ) about security in password, i've changed my signup form to this:
Code:
$data = array(
'PASSWORD'    =>    password_hash($this->input->post('password'), PASSWORD_BCRYPT)
);
$this->user->save_user($data)

I can see my password saved in the DB with different characters which is "hash".

Now when i want to login the password is not valid.
How am i getting the password in login page is:
Code:
$this->user->login_access(array(
'PASSWORD'     =>     $this->input->post('password')
);

Note: My code in without hashing is working

I believe i need to do something to change the standard chars to hash then check with DB. Confused
I'm stuck in this part.

Any idea?
Reply
#2

You need to hash their supplied password (retrieved via post) and compare it against the hashed password in the db.
Reply
#3

(This post was last modified: 08-12-2015, 08:25 AM by mariek. Edit Reason: typo )

If you use password_hash, you can use password_verify, this is the recommended method on php.net
http://php.net/manual/en/function.password-verify.php
Reply
#4

(08-12-2015, 07:51 AM)CroNiX Wrote: You need to hash their supplied password (retrieved via post) and compare it against the hashed password in the db.

(08-12-2015, 08:25 AM)mariek Wrote: If you use password_hash, you can use password_verify, this is the recommended method on php.net
http://php.net/manual/en/function.password-verify.php

s/can/must/

password_verify() is the only way.
Reply
#5

I've read the password_verify(). i can see the example there like this:
Code:
$hash = '$2y$07$BCryptRequires22Chrcte/VlQH0piJtjXl.0t1XkA8pw9dMXTpOq';

if (password_verify('rasmuslerdorf', $hash)) {
   echo 'Password is valid!';
} else {
   echo 'Invalid password.';
}

now I'm trying to login like this code: (but i don't know whats my problem that its not working!)
Code:
$username = $this->input->post('username');
$password = $this->input->post('password');
$password_h = password_hash($this->input->post('password'), PASSWORD_BCRYPT);

$access = $this->user->login_access(array(
    'USER_NAME'     =>    $username,
    'PASSWORD'         =>    password_verify($password, $password_h)
));

and my login_access() is:
Code:
function login_access($cond = array())
{
    return $this->db->get_where($this->tablename, $cond)->result();
}
Reply
#6

You must retrieve the password in the database by username, then use password_verify to compare two passwords.

PHP Code:
// code to login
$username $this->input->post('username');
$password $this->input->post('password');

$access $this->user->login_access($username$password);

//
function login_access($username$password)
{
    $query $this->db->get_where('USER_NAME'$username);
    if ($query->num_rows() > 0)
    {
        $user_row $query->row();
        return password_verify($password$user_row->PASSWORD);
    }
    
    return FALSE
;

Reply
#7

@ardavan

Your code is wrong.
Place the following code within a page, reload it several times and you will find out why.

Code:
echo '<br />';

$password = 'test';

$password_h = password_hash($password, PASSWORD_BCRYPT);
// Note that every time a hash is produced,
// it is different than the previous one.
// It is for prevention dictionary attacks.
echo $password_h;

echo '<br />';

$password_at_login = 'test';

$success = password_verify($password_at_login, $password_h);
var_dump($success);

echo '<br />';
Reply
#8

(08-13-2015, 06:04 AM)ivantcholakov Wrote: @ardavan

Your code is wrong.
Place the following code within a page, reload it several times and you will find out why.


Code:
echo '<br />';

$password = 'test';

$password_h = password_hash($password, PASSWORD_BCRYPT);
// Note that every time a hash is produced,
// it is different than the previous one.
// It is for prevention dictionary attacks.
echo $password_h;

echo '<br />';

$password_at_login = 'test';

$success = password_verify($password_at_login, $password_h);
var_dump($success);

echo '<br />';

@ivantcholakov 

wait wait...
You said every time the hash will change...!
 
I think totally i got wrongly because I've saved the hashed password after register inside the DB.

correct me if I'm wrong : So I've to save the standard chars inside the DB AND i should use password_hash() & password_verify() for login.
Reply
#9

(08-13-2015, 07:11 AM)ardavan Wrote:
(08-13-2015, 06:04 AM)ivantcholakov Wrote: @ardavan

Your code is wrong.
Place the following code within a page, reload it several times and you will find out why.



Code:
echo '<br />';

$password = 'test';

$password_h = password_hash($password, PASSWORD_BCRYPT);
// Note that every time a hash is produced,
// it is different than the previous one.
// It is for prevention dictionary attacks.
echo $password_h;

echo '<br />';

$password_at_login = 'test';

$success = password_verify($password_at_login, $password_h);
var_dump($success);

echo '<br />';

@ivantcholakov 

wait wait...
You said every time the hash will change...!
 
I think totally i got wrongly because I've saved the hashed password after register inside the DB.

correct me if I'm wrong : So I've to save the standard chars inside the DB AND i should use password_hash() & password_verify() for login.

These two functions have different purposes and you're mixing them.

- Use password_hash() when you store a new password (creating new user, changing an old password)
- Use only password_verify() for login.
Reply
#10

@Narf
Thanks for useful explaining.

With your explaining and other friends, I've change my code:
PHP Code:
$username $this->input->post('username');
$password $this->input->post('password');
                
$password_hashed $this->user->get_one_by(array('USER_NAME' => $username))->PASSWORD;
var_dump($password_hashed);

var_dump(password_verify($password$password_hashed)); 

And the result is
Code:
string(45) "$2y$10$B7uJAngw0wtDtncMpsOfvetyFCg//VqdnqjdEZ" bool(false)

My entry password is "zz" which is during registering changed to hash and then saved in the DB.

My password in the db is
Code:
$2y$10$B7uJAngw0wtDtncMpsOfvetyFCg//VqdnqjdEZ

My get_one_by() function is in my model:
PHP Code:
function get_one_by($cond = array())
{
    
$result $this->db->get_where($this->tablename$cond);
    if (
$result->num_rows()) return $result->row();
        


the password_verify() always is FALSE !  Huh
Reply




Theme © iAndrew 2016 - Forum software by © MyBB