1

I have a site with a user area and admin area. In the admin area, I have a page for creating users and a page for creating admins. On the users and admins pages, I used the code below to hash passwords:

$hasher = new PasswordHash(8, false);
$password = $HTTP_POST_VARS['password'];
$hash = $hasher->HashPassword($password);
$HTTP_POST_VARS['password'] = $hash;

For the user page, the code to check the password is:

$hasher = new PasswordHash(8, false);
$check = $hasher->CheckPassword($password, $arrData[$conf['PASSWORD']['FIELD']]);
if ($check) {
    //login...
}

This works fine perfectly. My user passwords are hashed and it correctly checks the passwords. I use identical code on the admin login page, however, it is not working. It pulls the correct information from the database, but when CheckPassword is used, the passwords do not match. I think it might have something to do with salting because the beginning part of the passwords seem to be the same.

By the way, I am using PHP 4.3.

Charles
  • 50,943
  • 13
  • 104
  • 142
Sean
  • 1,758
  • 3
  • 20
  • 34
  • 2
    @Martin why should that matter? There are many reasons why someone may be forced to use outdated technology. Just help OP answer the question. – Matt Aug 16 '12 at 18:19

2 Answers2

2

I think it might have something to do with salting because the beginning part of the passwords seem to be the same.

I don't know why you might think that, however the beginning parts of the password-hashes (!) should be the same. The hashes created by bcrypt use the modular crypt format that does not just contain the hash value but also an indicator of the used hash function, the number of rounds, and the salt that has been used to create the hash value. That is the part that is the same. See as well a related question I copied this information over from:

This might not answer your question but hopefully clarifies some details for you so that you do not look in the wrong places.

I have the database set to allow for 50 characters now. Does anyone know the longest hash phpass will generate?

That depends on the used hash function. In the article How to manage a PHP application's users and passwords by the author of Phpass, the following example Mysql database schema is given:

create database myapp;
use myapp;
create table users (user varchar(60), pass varchar(60));

You see here, this is a VARCHAR(60). This implies that 60 characters max are enough.

From another perspective, Wordpress uses Phpass as well and has the following password column definition:

user_pass VARCHAR(64)

That implies that 64 characters should be enough for them. However keep in mind that Wordpress also support other hashes, so this might be just a general value and not Phpass specific.

See as well:

Community
  • 1
  • 1
hakre
  • 193,403
  • 52
  • 435
  • 836
0

I think I figured it out. The table storing the admin passwords wasn't storing the entire hash. I can't believe I didn't realize that earlier.

I have the database set to allow for 50 characters now. Does anyone know the longest hash phpass will generate?

Sean
  • 1,758
  • 3
  • 20
  • 34
  • 1
    If your field type is VARCHAR, setting the length to 255 won't have much effect upon the resulting size of the record. CHAR(255) would allocate a 255 long string no matter what: this is what VARCHAR is for. – Robert K Aug 16 '12 at 18:38
  • @Sean: I've updated my answer about the length for the password column in your database and left you two more links to the phpass website that explains everything in a lot more detail. – hakre Aug 17 '12 at 09:06