How to use PHP crypt() function with a SHA256 salt string to generate the same hash it would generate if SHA256 wasn't supported on the server?

0
votes

My web application uses the PHP crypt() function for password hashing. I wanted to use SHA256 algorithm, so I generated the users' salt strings accordingly. The problem is that i didn't realize that SHA256 was not supported on the server I was using (CRYPT_SHA_256). I've just moved my application to another server which supports SHA256 and basically none of my users can log in because their password strings and salt strings generate different hashes compared to the hashes generated on the previous server.

What do you think the best solution would be without asking every single user to change their passwords?

Thank you in advance, I appreciate any useful ideas.

1
phploginsha256cryptpassword-hash
You shouldn't use SHA to hash passwords. Instead use the password_hash() function or the phpass library.Alex Howansky
also you can use the hash() functionuser1823693
i might be wrong, but as far as i know the crypt() function with a unique user salt using sha256 algorythm is strong enough for hashing passwords. Anyway thanks for your tips, but whichever hashing method i decide to use, i still have to use my old solution as well to provide acces to those haven't changed their passwords.vadaszp
Use the old method on the supplied, incoming details. If you get a match then all ok. If not matched then try the new method...Ryan Vincent
Yes, that should do it, but crypt() with a sha256 format salt gives me different results depending on whether sha256 algorythm is supported on not. On the new server it is supported, but somehow i should get the hash which would be generated if it wasn't.vadaszp

1 Answers

0
votes

Actually the crypt() function should be able to verify your existing hashes, even if they are not SHA-256 as you wanted to generate. Since the new password API internally use the crypt() function, it should even be possible to verify your hashes with the new functions:

// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);

To generate new hashes you should use the new function password_hash(), it will automatically create a safe salt. Evenmore it calculates a BCrypt hash, instead of the SHA-256 which is not appropriate to hash passwords.

// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);