1

I was looking about best practice for password protect, everybody are talking about bcrypt and others hashing classes. But I can't get how To verify password if it contains unique random salt .

For cookies its fine, but without em - each time would be unique crypted value, how can I verify users password with random values? Oo . Or bcrypt only for cookies? Then what I should do with password in db?

Please describe to me my mistakes - what I've lost when learning about it.

Yaroslav
  • 6,476
  • 10
  • 48
  • 89
Maxo
  • 13
  • 4

2 Answers2

1

The bcrypt algorithm creates a random salt that is stored as part of the hash in a standardised way.

See How do you use bcrypt for hashing passwords in PHP? for a working example.

See also:

(edited heavily since my answer was wrong before)

Community
  • 1
  • 1
John Carter
  • 53,924
  • 26
  • 111
  • 144
  • 10x.Just join (random data+crypted pass) ? And to verify script is going to take chunk of the pass, without salt and checks it with passed data? I was trying to use **bcrypt** but I have to generate unique hash each time and pass into _check()_ function, it means each time would be random hash, am I right? I know hash should be refreshed each time, but how it checks for a valid if every time should be random? – Maxo Oct 01 '12 at 04:54
  • Why would you need an additional salt on top of the one used for `bcrypt`? – Ja͢ck Oct 01 '12 at 05:11
  • @Jack you don't. Maybe you're misunderstanding my answer? – John Carter Oct 01 '12 at 05:12
  • @Jack removed one mention of salt that might have been confusing. – John Carter Oct 01 '12 at 05:14
  • "You store a random salt for each user in the database along with their hashed password" - that's unnecessary with bcrypt, because the hash already contains the salt. – Ja͢ck Oct 01 '12 at 05:20
  • @Jack, you're quite right, that teaches me for answering questions on topics I'm not familiar with! Edited my answer. – John Carter Oct 01 '12 at 07:31
1

There will be a group of function in the next php version, for details see the accepted RFC.

Anthony, the author of the RFC and the patch was kind enough to provide a compatibility library written in php so you can start using this new functionality now!

Behind the scenes it uses crypt with the strongest algorythm currently known.

Maerlyn
  • 33,687
  • 18
  • 94
  • 85
  • Tell me please how does the password with random salt could be verify?? My server php is only 5.2 what's your recipe in that case? – Maxo Oct 01 '12 at 05:06
  • 1
    The library I linked has a function for that called `password_verify`. You should update your server, php5.3 is already 5 years old, and support for 5.2 ended two years ago. – Maerlyn Oct 01 '12 at 05:12