Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
I have the code
echo password_hash( 'i=badatphp', PASSWORD_BCRYPT, [ 'cost' => 10 ] );
Every time I run the script the password changes
I'm using PHP 7, and in PHP 5 I used to be able to set a salt, but now I can't
How am I supposed to overcome not knowing what the salt is?
The reason you may see a new hash each time your run password_hash this way is because it will automatically generate a new random salt, which will result in a different hash even if the input password is the same.
While, as of PHP 7 the salt option is deprecated, it is definitely not removed from password_hash. Though, you should note that the reason it is deprecated is because it is planned for removal (probably in the next minor release of PHP). The reason it is planned for removal is because it discourages people from using inferior means of generating their salt. Since the function can generate good random salts for you automatically there's really very little reason to want to provide your own.
In any case, password_hash is just a thin wrapper over crypt, which exposes more of the primitives of the underlying API. So if you wanted to provide your own salt through crypt you still could. Though I highly discourage it when PHP can just do it for you with password_hash and in a manner which is not likely to result in error.
The used algorithm, cost and salt are returned as part of the hash. Therefore, all information that's needed to verify the hash is included in it. This allows the password_verify() function to verify the hash without needing separate storage for the salt or algorithm information.
http://php.net/manual/en/function.password-hash.php
As the docs state, the salt is generated and stored in the returned hash so there is no need to pass a salt to the function or to store it separately.
See this answer for a simple example of how to use password_hash.
Related
This question already has answers here:
password_hash returns different value every time
(1 answer)
Using PHP 5.5's password_hash and password_verify function
(4 answers)
Closed 5 years ago.
I have a technical question regarding password_hash() & password_verify().
If I run a sample password through password_hash() many times, I get a different result each time. I guess that’s a Good Thing.
The question is how does password_verify() actually verify the candidate password if the actual hash keeps changing?
I ask this question here because it is PHP related.
For those who think this question is a duplicate:
This question is not a duplicated of the linked questions. I am aware that the value changes, and that password_verify_ works with that.
It is a question of how that happens.
As noted on the manual page for the password_hash() function,
The used algorithm, cost and salt are returned as part of the hash. Therefore, all information that's needed to verify the hash is included in it. This allows the password_verify() function to verify the hash without needing separate storage for the salt or algorithm information.
When the same inputs - algorithm, cost, salt and password - are fed into the password calculation, the same output will be generated. Thus, the password_verify() takes the algorithm, cost and salt from the original calculation, generates a new hash using the password being tested, and compares the previous result with the newly generated one. If they match, the verification succeeds, otherwise it's an error.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
I have a PHP login system where I check the username that the user inputted and cross check it with every username in my database. If there is a match it looks at the password and if there is a match again it will grant the user access to their profile. If not they will be redirected to the login screen. I currently store passwords as what they actually are, not encrypted or anything. I was wondering if it is possible to get the password the user inputs when signing up, use an algorithm I will programme such as replace each letter with its corresponding number(a bit more complicated than that obviously). I would then store the password as the output and when reading it in from the database it would be decrypted. Is this safe, if i make my own algorithm or can someone easily look at my code and decipher it?
Do not store encrypted or (shudder) plain text passwords.
If you need to store a password value, store the return from a cryptographic hash function. There's no need to "roll your own" cryptographic hash algorithm. (The strength of a cryptographic algorithm is not produced by keeping the algorithm "secret".)
Cryptographic hash algorithms are the workhorse of modern security.
https://en.wikipedia.org/wiki/Cryptographic_hash_function
When you need to test a password (by comparing a submitted password to a stored password value), just run the submitted password (to be tested) through the same cryptographic hash function, and take the return from that and compare to the stored hash value. If the hash values match, then there is an extremely high probability that the plaintext passwords match. If the hashes don't match, then you are guaranteed that the passwords don't match.
To directly address the specific questions you asked:
Q: Is [my proposed implementation] safe?
A: The short answer is no, it's not safe. The first part of my answer describes a better approach to handling password tokens for authentication.
Q: If i make my own algorithm or can someone easily look at my code and decipher it?
A: The strength of a cryptographic algorithm is not found in keeping the code "secret".
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
hi can anyone tell me how to use crypt() and and password_hash in php 5.6 please?
because i tried and it keeps on giving me this error
Notice: crypt(): No salt parameter was specified.
You must use a randomly generated salt and a strong hash function to produce a secure hash.
The usage is very straight forward, following example is summing it up:
// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_DEFAULT);
// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);
The password_hash() function is actually a wrapper around the crypt() function, to handle the difficult parts like generating a safe salt, and to make it future proof. So there is no need to call crypt() directly.
The function declaration is as follows:
string crypt ( string $str [, string $salt ] )
But the documentation notes this:
The salt parameter is optional. However, crypt() creates a weak password without the salt. PHP 5.6 or later raise an E_NOTICE error without it. Make sure to specify a strong enough salt for better security.
That is to say, you will just have to ignore the notice if you want to continue using the function without a salt (which would be dumb), or use a salt.
Note, however, that the documentation continues on to say this:
password_hash() uses a strong hash, generates a strong salt, and applies proper rounds automatically. password_hash() is a simple crypt() wrapper and compatible with existing password hashes. Use of password_hash() is encouraged.
(That last emphasis is mine.)
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 7 years ago.
Improve this question
I just have a little question about the password_hash() function, does it create a ramdom salt for me? I mean I don't have to specify something like this:
'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM)
Because I suppose that the function creates a random and different salt for EACH of the password?
Another question, if I use PASSWORD_DEFAULT in the function password_hash in this way : password_hash("rasmuslerdorf", PASSWORD_DEFAULT) is like to use password_hash("rasmuslerdorf", PASSWORD_BCRYPT) ?
Salt is automatically generated, but you can specify your own in the options.
As of PHP 5.5 the default algorithm is BCRYPT but it can change over time.
password_hash() will automatically generate a random salt each time it is called, unless you manually specify one in the third argument, $options.
PASSWORD_DEFAULT is equivalent to PASSWORD_BCRYPT as of PHP 5.5, however that may change in the future. You should NOT assume that PASSWORD_DEFAULT will always use the bcrypt algorithm in future versions of PHP.
According to the docs if you don't specify any salt it will generate a random one each time:
salt - to manually provide a salt to use when hashing the password.
Note that this will override and prevent a salt from being
automatically generated.
If omitted, a random salt will be generated by password_hash() for
each password hashed. This is the intended mode of operation.
http://php.net/manual/en/function.password-hash.php
From the very fine manual -
If omitted, a random salt will be generated by password_hash() for each password hashed. This is the intended mode of operation.
Additionally (your second question) more from the very fine manual -
PASSWORD_DEFAULT (integer)
The default algorithm to use for hashing if no algorithm is provided. This may change in newer PHP releases when newer, stronger hashing algorithms are supported.
...
Values for this constant:
PHP 5.5.0 - PASSWORD_BCRYPT
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 9 years ago.
Improve this question
I've recently started on making a login / register system using MYSQL and PHP but I have come across a problem where I have hashed the password on register but when it comes to logging in, it won't work, says incorrect password.
http://snap.binarypaw.com/gc53h3w0.png <-- Register Code
http://snap.binarypaw.com/1qhsyeyw.png <-- Login Code
If anyone has any answers I will be more than delighted.
Edit
The links on this domain are now dead. I apologise for any inconvenience.
In your login code, you need to compare the MD5 hashed version of the entered password with the MD5 hashed version you are storing. If the hashes match, the password matches.
The simplest way to achieve this would be to hash the entered password just before comparing it in the exact same way as you are in the register code:
$query = "SELECT user,pass FROM members WHERE user='$user' AND pass='".md5($pass)."'";
Edit: bear in mind this answers your question directly. However, Mike makes a very valid point in his comment above. MD5 is not a good choice for password hashing as it is weak. In addition, you're not salting your hashes. Making both of these changes would be highly recommended to help secure your users. Some of the related questions on the right, such as this one, would be worth a look to get started.
The other answers have provided direct solutions to your particular problem, but I'll elaborate a little more on the security behind your code - just for your and other's reference. Feel free to add onto this or correct me as necessary.
Storing passwords in md5 is a no-no. This is because the md5 hashing algorithm can be brute-forced easily/quickly. Also, you use mysql_ functions, which are deprecated. You should be using PDO (or alternatively mysqli_ functions). Luckily, you sanitize your data - however, these functions are no longer maintained, so I would recommend switching.
This is a great tutorial on creating a basic log in system with PDO and a SALT. I highly recommend you review it and re-implement your login system with a method like this for a couple reasons:
It will protect you against SQL Injection attacks
It adds a SALT to the password, which makes each hash unique - complicating brute force techniques (see this page for details on why it does this)
It uses a stronger hashing algorithm (sha256) and rehashes a bunch of times (which also helps against brute force attacks by increasing login time - more information)
In general, if you have the opportunity to add more security to your system without unreasonably inconveniencing your users (like storing SALTs and using strong hashing algorithms), take the opportunity ahead of time to reduce the headache you'll face in the future.
Hope this helps!
hash your password in your where clause.
WHERE user ='$user' and pass=md5('$pass')
Make sure $user and $pass are appropriately sanitized prior to building your query string.
As Mike pointed out in the comments md5 is a weak choice for hashing your passwords.
Alternative hashing algorithms can be found here https://dev.mysql.com/doc/refman/5.5/en/encryption-functions.html
$pass = md5($pass);
Also don't use mysql_*, as it is deprecated.
In your login code you need to hash the input before you query the database. Insert the line:
$pass = md5($pass);
Before the $query = line.