Reputation: 500
How to use PHP's password_hash in Android
I have a password stored in a database, which was encrypted using PHP's password_hash hashing algorithm.
Example:
password_hash("pass", PASSWORD_DEFAULT);
Would produce the hash:
$2y$10$3e6a/J0xDd1LONdnbkp5nud.WwS3.gV3aHBTYX6r4Bq2BxZTjDCZu
From PHP's documentation:
PASSWORD_DEFAULT - Use the bcrypt algorithm (default as of PHP 5.5.0). Note that this constant is designed to change over time as new and stronger algorithms are added to PHP. For that reason, the length of the result from using this identifier can change over time. Therefore, it is recommended to store the result in a database column that can expand beyond 60 characters (255 characters would be a good choice).
PASSWORD_BCRYPT - Use the CRYPT_BLOWFISH algorithm to create the hash. This will produce a standard crypt() compatible hash using the "$2y$" identifier. The result will always be a 60 character string, or FALSE on failure. Supported Options:
As it says that it uses the bcrypt algorithm, would there be a way of generating the same hash shown above within my android application client side?
I have tried implementing this using jBcrypt without results.
Upvotes: 2
Views: 3077
Answers (2)
Reputation: 5949
Yes, you can recreate the hash on the Android side, but this does not solve your encryption problem. If you send the hash in the clear, an attacker can simply replay the hash, and access your system without having to know the password.
The output of the password_hash function includes the algorithm, cost option, and salt before the actual hash (2y tells you the algorithm, 10 is the cost option in your example). You need to input this into the crypt function on the Android end by supplying the these parameters. Normally you just supply the whole output as the input to the crypt function, but this is the token you are trying to validate to begin with, so you need to extract only the parts you need with salt depending on the algorithm you use.
The simplest way to do that is to use an existing digest implementation like this, and use a cipher that is supported by the server and client sides like CRYPT_SHA256 or CRYPT_SHA512.
But to reiterate, you should just properly use encryption.
Upvotes: 3
Reputation: 526
I didn't understand why you need to reproduce the same hash in your mobile app but, I guess, you could try this:
You could send the password from you mobile app using a another encryption, decrypt it in you php server and use password_verify.
I'm counting you have a password salt in your server to make passwords stronger.
Hope that helps
Upvotes: 1
Related Questions
- How can I close/hide the Android soft keyboard programmatically?
- What column type/length should I use for storing a Bcrypt hashed password in a Database?
- How to stop EditText from gaining focus when an activity starts in Android?
- Proper use cases for Android UserManager.isUserAGoat()?
- Why is the Android emulator so slow? How can we speed up the Android emulator?
- How can bcrypt have built-in salts?
- What is 'Context' on Android?
- Is there a unique Android device ID?
- PASSWORD_DEFAULT vs PASSWORD_BCRYPT