Reputation: 955
BCrypt of PHP cannot verify the password
I have tested the password_verify of PHP that does not verify correctly. I am using centOS and PHP version 5.3.3. I know the 5.3.3 version of PHP does not provide the password_hash function, so i have used the https://github.com/ircmaxell/password_compat
However, it is always to return true with different passwords when i verify it. Is my code has bug?
Here is my code:
$password = 'k32AlGOPqvCzoh*Sp(Hdrr26]M=lQb00R&W=hew|-|([(03vp==A8%m?l=eA2^bs_|\qVV3WZ';
$verify_pw = 'k32AlGOPqvCzoh*Sp(Hdrr26]M=lQb00R&W=hew|-|([(03vp==A8%m?l=eA2^bs_|\qVV3WZasdasdasdasdqweqa13123';
$options = array(
'cost' => 15
);
$hash = password_hash($password, PASSWORD_BCRYPT,$options);
var_dump(password_verify($verify_pw ,$hash)); // always true
Upvotes: 0
Views: 174
Answers (1)
Reputation: 3928
The problem is not your code. Bcrypt has a string limit from 56 bytes e.g. 55 Chars
https://www.usenix.org/legacy/events/usenix99/provos/provos_html/node4.html
the key argument is a secret encryption key, which can be a user-chosen password of up to 56 bytes (including a terminating zero byte when the key is an ASCII string).
So your string gets truncated and is the reason why your password_verify returns allways true as the truncated strings are identical.
Upvotes: 2
Related Questions
- using Bcrypt with phpto hashing password not working
- php mysql bcrypt and password doesn't match
- Cannot verify password in PHP
- Password verify not working with password hash BCRYPT
- Password_verify bcrypt not working
- `password_verify` call returning false for correct password
- PHPass not working when checking password
- Password verifying against database using bcrypt
- How do you verify a password with PHP/MySQL using BCRYPT
- How to use bcrypt with php for password authentication?