my hashed password values are not matching when retrieving salt value from database

0
votes

I have a problem. my hashed password values are not matching when retrieving salt value from database.

Register.php

  1. User enters username and password.
  2. Collect the username and password through POST.
  3. Generate a random salt value Add the salt value onto the end of the password value(entered by user). And hash the full value.

  4. Insert username, salt,hashedpassword and original password into database (just for testing)

    if (isset($_POST["usernameReg"]) && isset($_POST["passwordReg"])){
 // filter everything but numbers and letters
$username = preg_replace('#[^A-Za-z0-9]#i', '', $_POST["usernameReg"]); 
$password = preg_replace('#[^A-Za-z0-9]#i', '', $_POST["passwordReg"]); 

$salt = openssl_random_pseudo_bytes(1024);

$hashedPassword = hash('sha256', $password.$salt);
//$hashedPassword1 = hash('sha256', $password);

$query = "INSERT INTO users (username, salt, hashedPassword, password) VALUES (:username, :salt, :hashedPassword, :password)";

$statement = $pdoConnection->prepare($query);
$statement->bindValue(':username', $username, PDO::PARAM_STR);
$statement->bindValue(':salt', $salt, PDO::PARAM_STR);
$statement->bindValue(':hashedPassword', $hashedPassword, PDO::PARAM_STR);
$statement->bindValue(':password', $password, PDO::PARAM_STR);
$statement->execute();

    }

login.php

  1. User enters username and password.
  2. Collect the username and password through POST.
  3. Check the username exists in the database.
  4. Get the salt value for that username from the database and add it to the end of the password entered by the user in the login form. Hash this value and store it into $_SESSION["newHashedValue”] variable.(for testing)
  5. Retrieve the original hashedValue from the database. Store it in $_SESSION[" dbHashedValue”] and compare values.

  6. If the values match then we know the login password is correct. Problem: these values do not match and they should because im entering the same login details.

    if (isset($_POST["username"]) && isset($_POST["password"])){ $username = preg_replace('#[^A-Za-z0-9]#i', '', $_POST["username"]); $password = preg_replace('#[^A-Za-z0-9]#i', '', $_POST["password"]); 

        //check if this username and password exist in our database and are therefore valid
    $query = "SELECT * FROM users WHERE username=:username LIMIT 1";

    $statement = $pdoConnection->prepare($query);
    $statement->bindValue(':username', $username, PDO::PARAM_STR);
    $statement->execute();
    $statement->setFetchMode(PDO::FETCH_ASSOC);

    while($row = $statement->fetch()){
        $saltPassword = $password.$row["salt"];
        $newHashedValue = hash('sha256', $saltPassword);
        $dbHashedValue = $row["hashedPassword"];
        //these two values are not matching but they should match
        $_SESSION["newHashedValue"] = $newHashedValue;
        $_SESSION["dbHashedValue"] = $dbHashedValue;
    }

    }

stored in database

1
phpdatabasehashloginsalt
That should be impossible. Can you please check if the columns hashedPassword and salt are long enough to store your information? Maybe your salt or hash are being cut off at one point which would ruin everything. Keep in mind salt should be of length 2048 and not 1024. - Cârnăciov
How are your database columns set up? Is there enough room to store the full hash? - Gavin
Just use password_hash and password_verify. - Alexander O'Mara
@Sarah Yes, but PHP 5.4 is already end-of-life. There are polyfills for obsolete PHP versions though, here's one: github.com/ircmaxell/password_compat - Alexander O'Mara
@Sarah PHP 5.4 isn't currently receiving security updates, I don't know if there are presently any unpatch vulnerabilities, but I generally don't recommend using obsolete versions of PHP. As for which is otherwise more-secure, see SHA512 vs. Blowfish and Bcrypt [closed] (password_hash presently uses Bcrypt with a cost of 10). - Alexander O'Mara

1 Answers

2
votes
$salt = openssl_random_pseudo_bytes(1024); //will generate 2048 chars since a character is half a byte.

Will generate a string of 2048 characters. Therefore the solution is to either increase the size of your salt column to 2048 which is sort of overkill, or generate 32 bytes which will be 64 characters.

$salt = openssl_random_pseudo_bytes(32); //will generate 64 chars

More info on the function here http://php.net/manual/en/function.openssl-random-pseudo-bytes.php

The sha256 hash is of length 64 so the hashedPassword column should be of length 64.(as the name suggests, 256 bits = 32bytes = 64 characters)