How to verify password against database?

6
votes

I went through many articles related to this topic, such as this:

Using PHP 5.5's password_hash and password_verify function

Yet, I'm unsure if I'm hashing and salting the correct way or over doing it!

I want to use my own salt and then hash. Both salt and hashed password stored in the database in two different fields.

This is how I hash the password before storing into database

$cost = 10;
$salt = strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.');
$salt = sprintf("$2a$%02d$", $cost) . $salt;

//shall I remove this line and replace below PASSWORD_DEFAULT  with PASSWORD_BCRYPT instead?
$password = crypt($data['password'], $salt);

$hash = password_hash($password, PASSWORD_DEFAULT);

Given that, I'm trying to verify the password as below: Somehow I feel that I'm complicating the process.

$salt=$row['salt'];//taken from db
$hashAndSalt=$row['hashpword'];//taken from db
$password="pwtester";//user keyed in password

$newpassword = crypt($password, $salt);
$newhash = password_hash($newpassword, PASSWORD_DEFAULT);


if (password_verify($password, $newhash)) {
   echo"verified";
}
else
{
    echo"Not verified"; 
}

EDITED:

Now I store like this:

$cost = 10;
$salt = strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.');
$options = array('cost' => $cost,'salt' => $salt);
$hash = password_hash($data['password'], PASSWORD_DEFAULT,$options);

But verification confusing:

$email = "[email protected]";
$uid= '555ca83664caf';
$sql = "SELECT *FROM authsessions WHERE email =:myemail AND useruuid =:uid";

$statement = $pdo->prepare($sql);
$statement->bindValue(':myemail', $email);
$statement->bindValue(':uid', $uid);
$statement->execute();
while( $row = $statement->fetch()) {
    echo "salt ".$row['salt']."<br/><br/>";
    echo "hashpassword ".$row['hashpword'];
}

$salt=$row['salt'];
$hashAndSalt=$row['hashpword'];
$password="test55";

$newhash = password_hash($password+$salt, PASSWORD_DEFAULT);


if (password_verify($newhash, $hashAndSalt)) {
   echo"verified";
}
else
{
    echo"Not verified"; 
}

It echoes "Not Verified"

4
phphash
@user3633383, what value? Hmm I'm getting the salt string and hashed password, but when I verify it says not verifiedsherly
Ok, I have never used these functions before. What seems to be hapening is that you are hashing the password and then using it to verify if it is a valid password. The password_verify() takes the original password unhashed.Zast

4 Answers

7
votes

The function password_hash() is just a wrapper, internally it generates a cryptographically safe salt and then calls the crypt() function to calculate the BCrypt hash.

So there is no reason to do the same steps yourself (do not call crypt() and do not generate a salt). Generating your own salt is not recommended, because you cannot do it better than the password_hash function does. Also there is no reason to store the salt in a separate db column, it is already part of the resulting hash-value.

// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);

// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);
5
votes

This will verify correctly, as it should. 

//on creating an account, a user enters a password!
$password="pwtester";//user keyed in password

$newhash = password_hash($password, PASSWORD_DEFAULT);
//#newhash now has the only value that you need to store in the db
//you do not need any more than this value, that you retrieve when you 
//want to verify your password!

//this part is only done to verify passwords!
if (password_verify($password, $newhash)) {
    echo"verified";
}
else
{
    echo"Not verified"; 
}

So provided you have stored the hash in the db

$newhash=$row['hashpword'];//taken from db
$password="pwtester";//user keyed in password

if (password_verify($password, $newhash)) {
    echo"verified";
}
else
{
    echo"Not verified"; 
}

Should work!

1
votes

Password storage:

$cost = 10;

$salt = strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.');

$options = array('cost' => $cost,'salt' => $salt); 

$hash = password_hash($data['password'], PASSWORD_DEFAULT,$options);

password verify:

<?php
include('config.php');
$email = "[email protected]";
$uid= '555cb0a63f08d';
$sql = "SELECT *FROM authsessions WHERE  useruuid =:uid";

$statement = $pdo->prepare($sql);
$statement->bindValue(':uid', $uid);
$statement->execute();
while( $row = $statement->fetch()) {
echo "salt ".$salt=$row['salt']."<br/><br/>";
echo "hashpassword ".$hashAndSalt=$row['hashpword'];
echo"<br/>";
}

$password="nony";



//$newhash = password_hash($password+$salt, PASSWORD_DEFAULT);


if (password_verify($password, $hashAndSalt)) {
   echo"verified";
}
else
{
echo"Not verified"; 
}
?>
0
votes

You hash the password 2 times. Leave the crypt function and you should be ok.

Just take a look at the PHP documentation regarding to password_verify and password_hash.

Just save the password with password_hash(). that should store the hash in the DB.

And to verify, you just compare the hash with the user input with password_verify. Password_verify will do the rest for you :)