Using bcrypt for user passwords

Question

I'm using phpass's bcrypt functionality to hash a password on my site. Now, it wouldn't really work. Trying to compare with the CheckPassword function wouldn't work. I made a vast debugging of every string coming out through every function I used to decrypt the hashes and came to the conclusion that the hash generated by bcrypt is pretty random. So, the newly generated hash of the plaintext password would never match the one in my database. Is that true? If so, how the hell do I make it work? Source code is rather simple.

// when creating user 
<db insert code>$hash->HashPassword($_POST['password']);

// when logging in
return $hash->CheckPassword($user->password, $_POST['password']);

Answer 1

Edit: The problem is you have the order wrong, you need the password, then the stored hash.

$check = $hasher->CheckPassword($password, $stored_hash);

Source

This matters, as I said before (below) the stored hash is used to decide how to hash the password to compare, hence your wrong argument order will cause failure.

Answer from before:

You don't decrypt a hash, you check it by hashing the comparable data in the same way. BCrypt hashes include the hash, the salt and the number of rounds, so there should be no problem in checking this.

The reason that the hashes are never the same is the salt will be different each time. This is to protect from rainbow table attacks.

As far as I can tell, your check is sound. The problem must be elsewhere. Are you sure that $user->password actually contains the hash in full? BCrypt hashes are 60 characters, so make sure it isn't being truncated.