How do I check the password for the database?

Question

How do I check the password for the database?

I have looked through many articles related to this topic, for example:

Using password_hash and password_verify PHP 5.5 function

However, I'm not sure if I am hashing and sticking in the correct way or if I am doing this!

I want to use my salt and then the hash. Both the salt and the hashed password are stored in the database in two different fields.

This is how I use the password before saving to the database

$cost = 10;
$salt = strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.');
$salt = sprintf("$2a$%02d$", $cost) . $salt;

//shall I remove this line and replace below PASSWORD_DEFAULT  with PASSWORD_BCRYPT instead?
$password = crypt($data['password'], $salt);

$hash = password_hash($password, PASSWORD_DEFAULT);

Considering that I am trying to validate a password like below: somehow I feel like I am complicating the process.

$salt=$row['salt'];//taken from db
$hashAndSalt=$row['hashpword'];//taken from db
$password="pwtester";//user keyed in password

$newpassword = crypt($password, $salt);
$newhash = password_hash($newpassword, PASSWORD_DEFAULT);


if (password_verify($password, $newhash)) {
   echo"verified";
}
else
{
    echo"Not verified"; 
}

Editorial staff:

Now I store like this:

$cost = 10;
$salt = strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.');
$options = array('cost' => $cost,'salt' => $salt);
$hash = password_hash($data['password'], PASSWORD_DEFAULT,$options);

But checking the confusion:

$email = "test55@gmail.com";
$uid= '555ca83664caf';
$sql = "SELECT *FROM authsessions WHERE email =:myemail AND useruuid =:uid";

$statement = $pdo->prepare($sql);
$statement->bindValue(':myemail', $email);
$statement->bindValue(':uid', $uid);
$statement->execute();
while( $row = $statement->fetch()) {
    echo "salt ".$row['salt']."<br/><br/>";
    echo "hashpassword ".$row['hashpword'];
}

$salt=$row['salt'];
$hashAndSalt=$row['hashpword'];
$password="test55";

$newhash = password_hash($password+$salt, PASSWORD_DEFAULT);


if (password_verify($newhash, $hashAndSalt)) {
   echo"verified";
}
else
{
    echo"Not verified"; 
}

He repeats "Not Verified"

+3

php hash

sherly May 20 '15 at 9:40

source to share

4 answers

user3633383 · Answer 1 · 2015-05-20T11:00:01+0000

This will validate correctly as it should.

//on creating an account, a user enters a password!
$password="pwtester";//user keyed in password

$newhash = password_hash($password, PASSWORD_DEFAULT);
//#newhash now has the only value that you need to store in the db
//you do not need any more than this value, that you retrieve when you 
//want to verify your password!

//this part is only done to verify passwords!
if (password_verify($password, $newhash)) {
    echo"verified";
}
else
{
    echo"Not verified"; 
}

So if you saved the hash in db

$newhash=$row['hashpword'];//taken from db
$password="pwtester";//user keyed in password

if (password_verify($password, $newhash)) {
    echo"verified";
}
else
{
    echo"Not verified"; 
}

Must work!

martinstoeckli · Answer 2 · 2015-05-20T13:19:49+0000

The password_hash () function is just a shell, internally it generates a cryptographically secure salt and then calls a function crypt()

to calculate the BCrypt Hash.

So there is no reason to do the same steps yourself (don't call crypt () and don't generate salt). Creating your own salt is not recommended because you can't do it better than the password_hash function. There is also no reason to store the salt in a separate db column, it is already part of the final hash value.

// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);

// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);

Rflujowa · Answer 3 · 2015-05-20T11:00:31+0000

You have a password 2 times. Leave the crypt function and you should be fine.

Just take a look at the PHP documentation regarding password_verify and password_hash.

Just save the password with password_hash (). which should store the hash in the DB.

And to be sure, you just compare the hash with user input with password_verify. Password_verify will do everything for you :)

sherly · Answer 4 · 2015-05-20T16:13:10+0000

Password storage:

$cost = 10;

$salt = strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.');

$options = array('cost' => $cost,'salt' => $salt); 

$hash = password_hash($data['password'], PASSWORD_DEFAULT,$options);

Password confirmation:

<?php
include('config.php');
$email = "test55@gmail.com";
$uid= '555cb0a63f08d';
$sql = "SELECT *FROM authsessions WHERE  useruuid =:uid";

$statement = $pdo->prepare($sql);
$statement->bindValue(':uid', $uid);
$statement->execute();
while( $row = $statement->fetch()) {
echo "salt ".$salt=$row['salt']."<br/><br/>";
echo "hashpassword ".$hashAndSalt=$row['hashpword'];
echo"<br/>";
}

$password="nony";



//$newhash = password_hash($password+$salt, PASSWORD_DEFAULT);


if (password_verify($password, $hashAndSalt)) {
   echo"verified";
}
else
{
echo"Not verified"; 
}
?>

How do I check the password for the database?

More articles: