User authentication using bcrypt

Question

I am basing my bcrypt creating off of this site I have made some changes to it though so this is my version of the code : My version of bcrypt

I have started working on my login form and I have come the general understanding that to check a users credentials you must :

1. recreate the bcrypt

2. compare what the $_POST['password'] that is being submitted to the password you have stored in the database.

3. return a row count so if a row is returned where the password that you recreated matches the already stored password then the row count must == 1

What I am confused about :

1. How do I let the checklogin form know what the bcrypt function was to begin with? do I have to include the register script? - or do I have to copy and paste the bcrypt function?

I have tried to implement this on my user authentication and for some reason it is not working for me.

This is my code hopfully some one sees a problem that i dont.

Any help would be greatly appreciated

Answer 1

What your code is trying to do is similar to how the old md5() unsalted hashes were looked up; php calculates the hash and then the database lookup is done based on that hash value and the user name.

Because your code is using a different salt each time when it needs to verify a given password, the lookup in the database would practically never work.

With bcrypt it works like this:

1. Fetch the database record based on the user name.

2. Use the stored password hash in there to compare against the posted password:

   if (crypt($form_password, $db_hash) === $db_hash) { ... }
   

Tips

Generating a salt for bcrypt can be much easier (you don't need 10k characters):

rtrim(strtr(base64_encode(openssl_random_pseudo_bytes(16)), '+', '.'), '=');

Also, the cost parameter of 17 is really big ... unless you're running serious hardware, you're going to bring down the site when someone tries to brute force a password.