Password hashing

...

Code:

string(45) "$2y$10$B7uJAngw0wtDtncMpsOfvetyFCg//VqdnqjdEZ" bool(false)

...

the password_verify() always is FALSE !  

This is an incomplete hash, probably truncated by a field-length limit that you've set on your database table. bcrypt produces a 60-character hash, yours is only 45 and it could never validate (actually, it probably contains just the salt).

The solution is to change your password field to varchar(255) (yes, 255; for forward-compatibility) and re-hash your passwords.

Also, you should implement a minimum password length policy ... I know you're probably just testing right now, but no one should ever be allowed to use 'zz' as a password.

Thank you for helping me in this.

which quantity if chars are good to implement for minimum password length? is 5 enough?

After changing the Varchar(45) to Varchar(255) its working well.

Thanks guys...

An article I read recently stated that a hashed 8-character password could be cracked in about 2 days, assuming the 8-character password was extremely complex. Given the process usually involved, cracking an entire list of passwords stolen from a site is generally expected to take as long as the time required to crack the most complex password used on that site.

That said, 8 characters is a common choice for a minimum length. Then you usually add the complexity requirements, such as requiring a mixture of lower/uppercase characters, numbers, and symbols.

Bonfire

Practical CodeIgniter 3
CodeIgniter Testing Guide