Reputation: 11
PHP password_verifiy returns true while hash is incorrect
I have the following code with a userpassword contains a blow fish secret and the user password itself.
The hash is another (not the secret and the password!!) but i still got a true as result:
<?php
## password (secret + userpass)
$pass = 'PNvH5GFfUKktXWpydfAMXMYKayjEP3GzfJbaenmzuAHSTv7rQgW8t4ShEKpdcD5nek8eArGQyfz9XRx6ARBc897YVdetest';
## hash
$hash = '$2y$10$9VGEg7HamRVDILsFV5dvJu3l5.Psfk4g6N8.Jcn6/gMhoZIKDLAAm';
## verify
$check = password_verify($pass, $hash);
## check
if(true === $check) {
var_dump($check);
} else {
echo "false";
}
?>
I have read a lot and think it can be a problem of the length! The algo is limited to 72 chars. For more security, we have a login with a blow fish secret. While hashing, we chain blow fish + userpassword to one big password, then hash it. While login we chain blow fish and userpass again and verify. The result of this is a big password which is hashed in db.
Upvotes: 1
Views: 83
Answers (2)
Reputation: 61784
Did you use password_hash with the PASSWORD_BCRYPT option (or with PASSWORD_DEFAULT, since Bcrypt is current the default algorithm)? As per the PHP documentation for password_hash that will indeed truncate the password to 72 characters.
Example of the issue:
$pass = 'PNvH5GFfUKktXWpydfAMXMYKayjEP3GzfJbaenmzuAHSTv7rQgW8t4ShEKpdcD5nek8eArGQyfz9XRx6ARBc897YVdetest';
$pass2 = 'PNvH5GFfUKktXWpydfAMXMYKayjEP3GzfJbaenmzuAHSTv7rQgW8t4ShEKpdcD5nek8eArGQ';
$hash = password_hash($pass, PASSWORD_DEFAULT);
echo $hash.PHP_EOL;
var_dump(password_verify($pass2, $hash));
Live demo: https://3v4l.org/Y2pTX .
If you want very long passwords, I suggest using a different algorithm which doesn't have this issue. Either that, or don't use the extra blowfish salt (which shouldn't be necessary), or at least reduce its length.
Upvotes: 2
Reputation: 1
Please use password_hash() for generating the hash for the password then use this hash in password_verify() function.
<?PHP
$pass = "secret_password";
$hash = password_hash($pass, PASSWORD_DEFAULT); //please use this for generating the hash
## verify
$check = password_verify($pass, $hash);
## check
if(true === $check) {
var_dump($check);
} else {
echo "false";
}
?>
Upvotes: -2
Related Questions
- How can I prevent SQL injection in PHP?
- How do you parse and process HTML/XML in PHP?
- Deleting an element from an array in PHP
- Reference Guide: What does this symbol mean in PHP? (PHP Syntax)
- startsWith() and endsWith() functions in PHP
- Secure hash and salt for PHP passwords
- How does PHP 'foreach' actually work?
- Enumerations on PHP
- How do I get PHP errors to display?
- Why shouldn't I use mysql_* functions in PHP?