Reputation: 3044
Implementing password hashing/salting algorithm from crackstation.net
I am trying to implement a password hashing/salting algorithm from crackstation.net, but I am unsure how implement it.
Storing the password upon user registration seems to be as simple as passing the password into create_hash().
$password = create_hash($_POST['Password'];
I'm not following how to validate upon user login. validate_password($password, $good_hash) returns either true or false, and takes $password as parameter, so it seems like a no brainer except for the second parameter $good_hash. Where does this param come from?
It is my understanding that password is turned into a hash value every time its used, and that the hash value is what is stored and compared. So why would I have both the $password and $good_hash values?
Quick overview of the functions:
function create_hash($password){
calls pbkdf2()
}
function validate_password($password, $good_hash){
calls pbkdf2()
calls slow_equals()
}
function slow_equals($a, $b){
}
function pbkdf2($algorithm, $password, $salt, $count, $key_length, $raw_output = false){
}
Of course a different, better method for this would also be just as helpful. Thank you
Upvotes: 2
Views: 609
Answers (1)
Reputation: 191789
good_hash has been stored in the DB at this point and is the known "good hash." Retrieve it from the DB and compare it to the password the user has been submitted that has now been hashed with the same algorithm.
Upvotes: 2
Related Questions
- Translate Windows CryptoAPI Salt and Hash to PHP
- Password hashing (crackstation.net)
- how to encrypt / decrypt password with salt using libsodium php
- How to hash and salt passwords
- PHP hashed & salted password
- How to use Taylor Hornby's password hashing functions
- hashing password with salt
- password salt storing
- PHP Password Hashing in 2011
- Creating salt with Portable PHP password hashing framework