ansaurus

Question

How can I compare my PHPASS-hashed stored password to my incoming POST data?

Answer 1

A:

Your hashing algorithm should return the same hash when given the same password. Therefore, running HashPassword on the POSTed data should ALWAYS equal the hash saved in the database.

Hash the POSTed password with the same function and compare to the previously saved hash.

Colin O'Dell 2009-08-19 03:38:01

tried what u said...not working...examined the hashed post data...tried to enter the same password for 4 times...they all produced different hashes...

2009-08-19 03:46:59

Answer 2

A:

Right now your $hash variable is declared local to the register() function. You need to move it outside both functions and use global $hash inside each to scope it properly, or initialize it separately in both functions as a local variable.

Edit: Modifications to your updated code below.

public function demoHash($data) //$data is the post data named password
{

        $hash =new PasswordHash(8, false);
        $query = ORM::factory('user');
        $result = $query
                ->select('username, password')
                ->where('username', 'fafa')
                ->find();
        //$hashed = $hash->HashPassword($data);
        $check = $hash->CheckPassword($data, $result->password);
        echo $result->username . "<br/>";
        echo $result->password . "<br/>";
        return $check;
}

Don't pass a hashed input to the first argument of CheckPassword - it's designed to do the hashing on its own.

Amber 2009-08-19 03:41:39

i've updated the code...i now have them in a function that handles incoming data...look at the update

2009-08-19 03:47:55

You don't pass a hashed value to the first argument of CheckPassword() - you pass the plaintext of the user's input and CheckPassword automatically hashes it for you. I've updated my answer with an example.

Amber 2009-08-19 05:14:43

still not working, removed the line you just removed...still getting a false

2009-08-19 05:26:34

Try echoing out both `$result->password` and the value returned from `HashPassword($data)` and compare them yourself. Perhaps something's up with logic outside of phpass itself?

Amber 2009-08-19 05:46:06

tried doing that. tried for 6 times, phpass generated a different value for HashPasswod($data) each time

2009-08-19 06:31:47

Answer 3

A:

I'm not sure there is enough info here to determine the problem- lets see if we can clarify a few things- I'll add some values and you let me know if the flow is correct:

function register()
{
// register user
$hash = new PasswordHash(8, FALSE);// hash = abcd1234
$hashed = $hash->HashPassword($hash);// hashed = DF431268

//register logic here
}

function login()
{
// login user
$data = $_POST['password']; // data = abcd1234
$password = // query password here // password = DF431268
$check = $hash->CheckPassword($data, $password); // assuming this function hashes $data through the same $hash->HashPassword($hash) function previously and then returns true if they are the same, check should be true...
return $check // check is returning false!
}

can you post the CheckPassword method of your hash class?

Ryan 2009-08-19 03:42:27

You can find the entire class here: http://www.openwall.com/phpass/phpass-0.1.tar.gz

Colin O'Dell 2009-08-19 04:41:14

Answer 4

A:

Assuming that $result->password is already hashed, try this:

$check = $hash->CheckPassword($data, $result->password);

Or even this:

$check = $hash->HashPassword($data) === $result->password;

Colin O'Dell 2009-08-19 04:37:16

Answer 5

A:

I got the same problem with CheckPassword() and the problem was actually with my database: the password field was not long enough for storing the entire hashed password.

Seeing the examples phpass comes with, I setted my field password to 60 characters length and now it works.

clinisbut 2010-06-12 08:42:45

ansaurus

tags:

views:

answers:

How can I compare my PHPASS-hashed stored password to my incoming POST data?

related questions