0

I'm using phpass when my users type in password upon signup and login. It's working when I'm working local on my Mac.

But when I hash a password when I'm online it's like it's hashing in a wrong way.

I have imported the local db to online db. And the password generated when I was local works perfect when I'm online.

So.. It's like something's going completely wrong when I'm using phpass online.

I'm using it like this: 

$hasher = new PasswordHash(8, FALSE);
$password = HashPassword($_POST["password"]);

This would give me something like: 

_zzD.NrhAaUmhr6G8i5E //when I'm local
$2a$08$mt3//cn0tqMmug/.tjKeC.AbZhYyj470EY9zSivZvNOtwk4A //when I'm online

When I'm checking password it's like this: 

$hasher = CheckPassword($_POST["password"], $row["password"]);
//$_POST is ofc. the submitted
//$row is the password for the user from the db.
//the user is found on the username and then im checking password.

I have absolutely no idea what's wrong. I was hoping someone on SO have had same problems.

user229044
  • 232,980
  • 40
  • 330
  • 338
skolind
  • 1,724
  • 6
  • 28
  • 51
  • Probably the PHPASS uses on the server other available functions (to hash password) than at local server. – Bartosz Grzybowski Jun 13 '12 at 13:37
  • @BartoszGrzybowski But in user-manual it's told to use it like this. That's why I don't understand it. – skolind Jun 13 '12 at 13:40
  • 1
    The code You provided is ok, but hash can be different - it depends on server machine and setup - as far I remember phppass uses what is avalable on php setup (installed modules etc) so depending on the machine hashes can be different. Try to generate password on the server side and then check if it's correct - don't import password hashes from other machines. – Bartosz Grzybowski Jun 13 '12 at 13:44

1 Answers1

3

The preferred hashing method supported by phpass is the Blowfish-based bcrypt, with a fallback to BSDI-style extended DES-based hashes and a last resort fallback to MD5-based salted and variable iteration count password hashes implemented in phpass itself

It is likely that your environments are using different hashing algorithms. You should ensure that both your development and production environments support blowfish encryption.

As a weaker alternative, this article mentions that:

The MD5-based salted and stretched hashing implemented in phpass itself is supported on all systems. phpass provides a way for you to force the use of these "portable" hashes - this is a Boolean parameter to the PasswordHash constructor function.

The second option to the PasswordHash constructor is $portable_hashes which can force the library to produce (weaker) hashes which are safe to move between machines. Try using

$hasher = new PasswordHash(8, true);
user229044
  • 232,980
  • 40
  • 330
  • 338
  • It's working if I'm using the "TRUE" paramter. But that's also less secure, at least I believe that's what I read in user-manuals. But maybe I misunderstood it? – skolind Jun 13 '12 at 13:49
  • It is definitely less secure. The better solution is to make sure blowfish encryption is supported in both environments. – user229044 Jun 13 '12 at 13:50
  • How would I check if it's supporting blowfish encryption? I guess it's something to ask my hosting service about? – skolind Jun 13 '12 at 13:52
  • Check for the predefined symbol `CRYPT_BLOWFISH`; if it is `1`, there is support for the blowfish hashing algorithm. – user229044 Jun 13 '12 at 13:53
  • @Bartosz Actually we arrived independently at the same answer, but thanks for the feedback. – user229044 Jun 13 '12 at 13:57
  • Yeah I found out that :) And it is equals to 1. – skolind Jun 13 '12 at 13:57
  • This guy : http://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php tells to use: $hasher = new Bcrypt($password); is this the right way to do it or what? Now I am confused. – skolind Jun 13 '12 at 14:00