How to use bcrypt with php for password authentication?

Question

I tried the top solution post from How do you use bcrypt for hashing passwords in PHP? but can't seem to get an example working. I copied the Bcrypt class and added the following code at the bottom of it.

$bcrypt = new Bcrypt(15);

// pw on server. Used $pwHash = $bcrypt->hash($formPassword); to get the hash from 'qwerty'.
$serverPw = '$2a$15$Ty6hIEEWFpUFHoKujvdmw.9kmyrwYip2s8TLdjDfNoVJuQx/TGgwu'; 

// user enters plain text pw...
$passAttempt = 'qwerty';

// attempt to check the attempted password against the server hashed pasword.
$pwVerify = $bcrypt->verify($serverPw, $passAttempt); 

if ( $pwVerify == 1 ) {echo "$pwVerify = true";} else {echo "$pwVerify = not true";}
// I also tried if ($pwVerify) and if ($bcrypt->verify($serverPw, $passAttempt))
// Output is "= not true"

What is wrong here?

No error, just "= not true" as the result of the conditional if. — Leke, Jul 04 '12 at 10:07

score 2 · Accepted Answer · answered Jul 04 '12 at 09:57

2

You must store the password AND the salt used when you BCrypt, or you'll never get the same string. This class seems pretty broken to me, don't use it. See this example and the documentation to directly use PHP's crypt function.

Edit : You probably should use PHPPass, seems like a well tested and referenced library.

answered Jul 04 '12 at 09:57

Ugo Méda

1,205
8
23

I haven't looked deep enough into it to say that the class is broken, but the salt is supposedly concatenated into the hash, it's the first part after `$2a$15$...`. – deceze Jul 04 '12 at 09:59
Read [this](http://crackstation.net/hashing-security.htm) also, great source of information and it recommands OpenWall implementation for PHP – Ugo Méda Jul 06 '12 at 12:08

How to use bcrypt with php for password authentication?

1 Answers1