0

I have made an password hashing script using this and this, i am getting it to work correctly except some times the crypt function is giving hash as "*0", and then it fails.

PHP Codes

    $password='password';
    $salt = '$2y$07$';
    $salt .= base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_RANDOM));
    $salt .='$$';
    $password_hash = crypt($password, $salt)';

    echo $password_hash.'<br />';

Using above i am getting values as

    $salt = '$2y$07$8K3i8rJ7n7bsJA36CfbabQ==$$';
    $crypt_password = $password_hash;
    $crypt_password = '$2y$07$8K3i8rJ7n7bsJA36CfbabO9ojj2hl61azl8CubJQhRTgla4ICiCVC';
    if (crypt($password,$crypt_password)===$crypt_password)
    {
    echo 'password verified';
    }
    else{
    echo 'password NOT verified';
    }

Please see and suggest any possible way to make it work correctly.

Thanks.

Community
  • 1
  • 1
  • `$crypt_password = $password_hash` sorry i didn't mention above –  Oct 15 '12 at 15:45
  • 1
    The verification step is correct (`crypt` extracts the salt out of the "hash" returned by `crypt`). The problem is, that `base64_encode` emits invalid characters for example `+` (accepted characters by `crypt`: `"./0-9A-Za-z"`). If `base64_encode` returns an invalid character `"*0"` is returned. – vstm Oct 15 '12 at 15:47
  • 2
    Why are you writing your own when there's several [bcrypt](http://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php) implementations here? – tadman Oct 15 '12 at 15:47

1 Answers1

3

The problem is that base64_encode may generate a string with '+' symbol, which is considered an incorrect salt by crypt function.

var_dump your $salt along with $password, and you'll see that each time + character is used in the salt, crypt function will return a '*0' string - the sign of failure.

One possible way of solving it is replacing all '+' signs with '.':

$salt = str_replace('+', '.', $salt);
raina77ow
  • 103,633
  • 15
  • 192
  • 229