Reputation: 532
Cannot compare BCRYPT passwords
I am following the guide in this website http://www.gregboggs.com/php-blowfish-random-salted-passwords/ but for some reason when checking if password are the same it fails.
The html is simple, 2 forms one for creating accounts and then one for checking. code can be seen here http://jsfiddle.net/Xf2Tc/
As output i get: salt = salt in database password in database: $2a$05$BcTDz3GVPJrLH3YRPF9FZ.uRBssr0ncQ4exG4/EtmnJ7Fz2CkoVha but the re-ENCRYPTED password is always something REALLY REALLY small. BcPgSBqZz80dw
I must be using the salt wrong or something.
If someoen can edit to be more organized, i would appreciate it.
<?php
defined( '_JEXEC' ) or die( 'Restricted access' );
$hostname="exampleHost";
$database="exampleDB";
$username="exampleUsername";
$password="examplePassword";
if(isset($_POST['Upassword'])&&isset($_POST['account'])&&!empty($_POST['Upassword'])&&!empty($_POST['account'])) {
try {
$pdo = new PDO("mysql:host=$hostname;dbname=$database", $username, $password);
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$Upassword = mysql_real_escape_string($_POST['Upassword']);
$account = mysql_real_escape_string($_POST['account']);
//This string tells crypt to use blowfish for 5 rounds.
$Blowfish_Pre = '$2a$05$';
$Blowfish_End = '$';
$Allowed_Chars ='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789./';
$Chars_Len = 63;
// 18 would be secure as well.
$Salt_Length = 21;
$mysql_date = date( 'Y-m-d' );
$salt = "";
for($i=0; $i<$Salt_Length; $i++)
{
$salt .= $Allowed_Chars[mt_rand(0,$Chars_Len)];
}
$bcrypt_salt = $Blowfish_Pre . $salt . $Blowfish_End;
$hashed_password = crypt($Upassword, $bcrypt_salt);
$stmt = $pdo->prepare("INSERT INTO users (reg_date, account, salt, password) VALUES (:mysql_date, :account, :salt, :hashed_password)");
$stmt->bindParam(':mysql_date', $mysql_date, PDO::PARAM_STR);
$stmt->bindParam(':salt', $salt, PDO::PARAM_STR);
$stmt->bindParam(':account', $_POST['account'], PDO::PARAM_STR);
$stmt->bindParam(':hashed_password', $hashed_password, PDO::PARAM_STR);
$stmt->execute();
} catch(PDOException $e) {
//file_put_contents('PDOErrors.txt', $e->getMessage(), FILE_APPEND);
echo 'ERROR: ' . $e->getMessage();
}
}
/*
* to test for correct encryption
*
*/
if(isset($_POST['Upassword2'])&&isset($_POST['account2'])&&!empty($_POST['Upassword2'])&&!empty($_POST['account2'])) {
try {
$pdo = new PDO("mysql:host=$hostname;dbname=$database", $username, $password);
$stmt = $pdo->prepare("SELECT salt, password FROM users WHERE account=:account");
$stmt->bindParam(':account', $_POST['account2'], PDO::PARAM_STR);
$stmt->execute();
$row = $stmt->fetch(PDO::FETCH_ASSOC);
$Upassword2 = mysql_real_escape_string($_POST['Upassword2']);
echo $row['salt'];
$bcrypt_salt = $Blowfish_Pre . $row['salt'] . $Blowfish_End;
$hashed_password = crypt($Upassword2, $bcrypt_salt);
echo "PassDB: " . $row['password'];
echo '-------------------------------------------';
echo "result: " . $hashed_password;
echo '-------------------------------------------';
if ($hashed_password == $row['password']) {
echo 'Password verified!';
}
echo 'i am here';
} catch(PDOException $e) {
//file_put_contents('PDOErrors.txt', $e->getMessage(), FILE_APPEND);
echo 'ERROR: ' . $e->getMessage();
}
}
?>
Upvotes: 2
Views: 439
Answers (1)
Reputation: 532
As you see I am separating my code into 2 if statements, meaning my Blowfish_Pre and $Blowfish_End were not being set when checking for correct password.
Solution either set this variables before the if statement or to use set them twice.
Hope it helps someone.
Upvotes: 1
Related Questions
- PHP - Bcrypt hash comparison always fails
- How to Compare BCRYPT Hashed Passwords in PHP
- php mysql bcrypt and password doesn't match
- PHP crypt() Blowfish Function Not Working
- BCrypt of PHP cannot verify the password
- Compare two hashes with bcrypt (PHP)
- Comparing passwords with crypt() in PHP
- Match passwords after using CRYPT_BLOWFISH
- Compare BCrypt hash to Bcrypt hash PHP
- PHP Bcrypt hashing