2

I am trying to implement a password hashing/salting algorithm from crackstation.net, but I am unsure how implement it.

Storing the password upon user registration seems to be as simple as passing the password into create_hash().

$password = create_hash($_POST['Password'];

I'm not following how to validate upon user login. validate_password($password, $good_hash) returns either true or false, and takes $password as parameter, so it seems like a no brainer except for the second parameter $good_hash. Where does this param come from?

It is my understanding that password is turned into a hash value every time its used, and that the hash value is what is stored and compared. So why would I have both the $password and $good_hash values?

Quick overview of the functions:

function create_hash($password){
    calls pbkdf2()
}

function validate_password($password, $good_hash){ 
    calls pbkdf2() 
    calls slow_equals() 
}

function slow_equals($a, $b){
}

function pbkdf2($algorithm, $password, $salt, $count, $key_length, $raw_output = false){
}

Of course a different, better method for this would also be just as helpful. Thank you

Mason240
  • 2,924
  • 3
  • 30
  • 46
  • 1
    i would assume $good_hash is the stored hashed password and $password is the raw one submitted for a login –  Jul 11 '12 at 03:17
  • Do not role your own, use [PHPass](http://stackoverflow.com/questions/1581610/how-can-i-store-my-users-passwords-safely/1581919#1581919) – Jacco Jul 12 '12 at 10:48
  • 1
    Two PBKDF2 notes: First, use has high an iteration count as you can and maintain sufficient performance during peak load. Second, never ask for more output length than the native hash (SHA-1 is 20 bytes, SHA-224 is 28 bytes, SHA-256 is 32 bytes, SHA-384 is 48 bytes, and SHA-512 is 64 bytes). A different method is password_hash() and password_verify(), available in PHP since 5.5, and since 5.3.7 with a compatibility library, per the [PHP.net Password Hashing FAQ](http://www.php.net/manual/en/faq.passwords.php). – Anti-weakpasswords Mar 25 '14 at 02:51

1 Answers1

2

good_hash has been stored in the DB at this point and is the known "good hash." Retrieve it from the DB and compare it to the password the user has been submitted that has now been hashed with the same algorithm.

Explosion Pills
  • 188,624
  • 52
  • 326
  • 405
  • So I just retrieve the hash stored in the db, and pass it in with the raw password obtained from $_POST. It's so obvious, boy do I feel silly now. – Mason240 Jul 11 '12 at 03:23