How can I extract the salt out of bcrypt hash passwords in php?

8
votes

My database stores the bcrypt passwords which means that the salt should be stored with in the password field. I don't want to make a separate field to store the salt by itself when it is not necessary. However when I want to compare passwords that the user sends to me to the passwords stored in the database, I need to hash the incoming password with the same salt. Question: what part of the stored hash is the salt? I think I could just return the salt using simple substr().

// password stored in database.
$user->password_hash = password_hash($password, PASSWORD_BCRYPT, array('cost' => 13));


// password from form being compared to form password

$form_password_hash = password_hash($data['form-password'], PASSWORD_BCRYPT, array('cost' => 13));

if($user->getPasswordHash() == $form_password_hash)
{
    $user->setPassword($data['new-password']);
    return new Response("Your password has been changed");
}
2
phpsymfonyhashcryptographybcrypt
No; bcrypt does this for you.SLaks
Every bcrypt library I've used just deals with the whole string, you don't need to pass the salt in seperately. Surely that's an option?joshuahealy
When you say "bcrypt is generating a new salt" I hear "I am doing this wrong". Post your code.Sammitch
Take a look at this answer, which has several ways of using bcrypt in php depending on the version you are runnning: stackoverflow.com/a/6337021/1248861joshuahealy
@Mr.Student password_verify does that for you. It does not generate a new salt, it uses the salt that's included with the hash you pass in.CodesInChaos

2 Answers

10
votes

Salt is the first 22 characters after the third $ in the hash:

$2y$13$<this is the salt, 22 chars><this is the password hash>

But you should not manually extract the salt to verify the password - use the password_verify function. It takes the password the user entered as the first argument, and the complete hash as the second argument, and handles the salt correctly.

10
votes

You need to use the password_verify function. This function will parse the hashed password string to find the salt and perform the calculation.

if (password_verify($data['form-password'], $user->getPasswordHash())) {
    echo 'Password is correct';
}