Blowfish encryption - hash is created but will not verify

Question

I wrote this code a while ago which I am now reviving for a new project but it does not seem to work and I cant for the life of me figure out why it will not verify the hash.

The 2 functions run are below, when registering the first passwordEncrypt() function is called.

When trying to login the checkPassword() function is called, instead of logging in and echoing 'yes' it gets to the section where it echos 'no'.

So please if a fresh set of eyes can have a look many thanks in advance!

// Encrypt user password
function passwordEncrypt($password) {
    // set the salt
    $salt = substr(md5(time()), 0, 22);

    // encrypt using blowfish with a load of 10
    $password = crypt($password, '$2a$10$' . $salt);

    // return the encrypted hash
    return $password;
}

/*
    Check password function when logging in
    first we select the password from the supplied username from the database
    // get the row and set the hash to the currect password from the database
    //run the salts etc and check to see if the passwords match
*/
function checkPassword($userName, $password, $db){
    $sql = 'SELECT password FROM users WHERE userName = :userName';
    $stmt = $db->prepare($sql);
    $stmt->bindValue(':userName', $userName, PDO::PARAM_STR);
    $stmt->execute();

    $numRows = $stmt->rowCount();

    if ($numRows > 0) {
        $row = $stmt->fetch();
        $hash = $row['password'];

        // run the hash function on $password 
        $fullSalt = substr($hash, 0, 29); 
        $new_hash = crypt($password, $fullSalt); 

        // Check that the password matches
        if($hash == $new_hash) {
            echo 'yes';
            exit;
            return true;
        } else {
            echo 'no';
            exit;
            return false;
        }
    } else {
        echo 'way';
        exit;
        return false;
    }
}

I have registered a password and then tried it and this is what it returns

Password:$2a$10$023d3086e8462207a1fecueWH4Ub40MWbQJ7F9 Entered :$2a$10$023d3086e8462207a1fecueWH4Ub40MWbQJ7F9hapWU3lYxlg3AAa no

So it is adding on hapWU3lYxlg3AAa

Answer 1

"column length is what? 40? 50? 60? other? $2a$10$023d3086e8462207a1fecueWH4Ub40MWbQJ7F9 implies being too short. – Fred -ii-"

and

"ah 45 in the database – Tom C"

There you go. The column's length is too short and needs to be 60.

The manual suggests 255.
Slight correction: 255 is what the manual on password_hash() suggests to use. However, it would be best to actually use 255 for what the manual also suggests to keep in mind for the future and considers it to be "a good choice".

You need to clear your rows, alter your column to be 60 or greater, then create a new hash and login again.

$2a$10$023d3086e8462207a1fecueWH4Ub40MWbQJ7F9hapWU3lYxlg3AAa

is 60 long

---

Footnotes:

It has been said that some find it hard to work with crypt(), and using password_hash() or the compatibility pack (if PHP < 5.5) https://github.com/ircmaxell/password_compat/ is actually easier. The choice is yours.

See this Q&A on Stack also:

• What is the output length of PHP crypt()?