CODEWITHSUNDEEP
phpsecurityhashblowfish
Tharindu Thisarasinghe
Tharindu Thisarasinghe

Reputation: 3998

Compare hashed password to validate if passwords are matched

I use blowfish method to hash the passwords from the user when they're signing up.

In the signup form, there is "Enter Password" box and "Confirm Password" box.

So, to check if the passwords are matched, I used hashed versions to compare. But then, it doesn't seem to match.

Please see the code below...

get values from the super global variables and hash them.

$hashed_password = password_encrypt($_POST['password']);
$conf_hashed_password = password_encrypt($_POST['conf_password']);

call the function 

 passwords_match_check($hashed_password, $conf_hashed_password);

Defined function 

function passwords_match_check($hashed_pw, $conf_hashed_pw){
    global $errors;
    if($conf_hashed_pw != $hashed_pw){
        $errors['pws_no_match'] = "Passwords do not match";
    }

}

This code always says passwords do not match even if I do know passwords are same...

So, where I have gone wrong... ?

Is it OK, if I just used the values without hashing to compare ?

Upvotes: 0

Views: 769

Answers (2)

ircmaxell
ircmaxell

Reputation: 165271

Just use password_hash() and password_verify() (both included in php 5.5+). And if you're on 5.3 - 5.5, use password-compat backwards compatibility library.

A custom password_encrypt() function is un-necessary and very likely less secure then the built-in one. So just use the built-in one.

Upvotes: 2

Armand
Armand

Reputation: 215

Unless you share the password_encrypt function it's hard to say. If the method seeds the encryption uniquely both hashes will be different.

( Could be the reason of your failed check. ) Why not check the raw input instead of the hashed?

Upvotes: 0

Related Questions